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(54) Secure gateway and method for communication between networks 



(57) An apparatus and method for providing a se- 
cure firewall between a private networl^ (10) and a public 
network (12) are disclosed. The apparatus is a gateway 
station (1 4) having an operating system that is modified 
to disable communications packet forwarding, and fur- 
ther modified to process any communications packet 
having a network encapsulation address which matches 
the device address of the gateway station. The method 
includes enabling the gateway station to transparently 
initiate a first communications session with a client on a 
first network requesting a network service from a host 
on a second network, and a second Independent com- 
munications session with the network host to which the 
client request was addressed. The data portion of com- 
munications packets from the first session are passed 
to the second session, and vice versa, by application 
level proxies which are passed the communications 
packets by the modified operating system. Data sensi- 
tivity screening is preferably performed on the data to 
ensure security Only communications enabled by a se- 
curity administrator are permitted. The advantage is a 
transparent firewall with application level security and 
data screening capability. 
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Description 

TECHNICAL FIELD 

s This application relates generally to internetwork communications and data exchanges and, in particular, to secure 

gateways which sen/e as firewalls between computer networks to inhibit electronic vandalism and espionage. 

BACKGROUND OF THE INVENTION 

10 As computing power and computer memory have been miniaturized and become more affordable, computer net- 
works have largely displaced mainframe and minicomputer technology as a business automation platform. Public in- 
formation networks have also sprung up around the world. The largest and most pervasive public network is the Internet 
which was created in the late 1960s as a United States Department of National Defence project to build a network 
connecting various military sites and educational research centers. White the interconnection of private networks with 

IS public networks such as the Internet may provide business opportunities and access to vital information, connecting 
a private, secure network to a public network is hazardous unless some form of secure gateway is installed between 
the two networks to sen/e as a "firewall". 

Public networks, as their name implies, are accessible to anyone with compatible hardware and software. Conse- 
quently, public networks attract vandals as well as amateurs and professionals involved in industrial espionage. Private 

20 networks invariably store trade secret and confidential information which must be protected from exposure io unau- 
thorized examination, contamination, destruction or retrieval. Any private network connected to a public network is 
vulnerable to such hazards unless the networks are interconnected through a secure gateway which prevents unau- 
thorized access from the public network. 

A great deal of effort has been dedicated to developing secure gateways for internetwork connection. As noted 

2S above, these gateways are commonly referred to as firewalls. The term firewall is broadly used to describe practically 
any internetwork security scheme. Firewalls are generally developed on one or more of three models: the screening 
router, the bastion host and the dual homed gateway These models may be briefly defined as: 

Screening router - Screening routers typically have the ability to block traffic between networks or specific hosts 
on an IP port level. Screening routers can be specially configured commercial routers or host-based packet filtering 

30 applications. Screening routers are a basic component of many firewalls. Some firewalls consist exclusively of a screen- 
ing router or a packet fitter. 

Bastion host - Bastion hosts are host systems positioned between a private network and a public network which 
have particular attention paid to their security. They may run special security applications, undergo regular audits, and 
include special features such as "sucker traps" to detect and identify would-be intruders. 

35 Dual homed gateway - A dual homed gateway is a bastion host with a modified operating system in which TCP/IP 

forwarding has been disabled. Therefore, direct traffic between the private network and the publk: network is blocked. 
The private network can communicate with the gateway, as can the public network but the private network cannot 
communicate with the public network except via the public side of the dual homed gateway Application level or "proxy" 
gateways are often used to enhance the functionality of dual homed gateways. Much of the protocol level software on 

40 networks operates in a store-and-forward mode. Prior art application level gateways are sen/ice-specific store-and- 
foHA/ard programs which commonly operate in user mode instead of at the protocol level. 

All of the internetwork gateways known to date suffer from certain disadvantages which compromise their security 
or inconvenience users. Most known internetwork gateways are also potentially susceptible to intruders if improperly 
used or configured. 

45 The only firewall for many network installations is a screening router which Is positioned between the private net- 

work and the public network. The screening router is designed to permit communications only through certain prede- 
signated ports. Many network sen/ices are offered on specific designated ports. Generally, screening routers are con- 
figured to permit all outbound traffic from the private network while restricting inbound traffic to those certain specific 
ports allocated to certain network services. A principal weakness of screening routers is that the router's administrative 

so password may be compromised. If an intruder is capable of communicating directly with the router, the intruder can 
very easily open the entire private network to attack by disabling the screening algorithms. Unfortunately, this is ex- 
tremely difficult to detect and may go completely unnoted until serious damage has resulted. Screening routers are 
also subject to permitting vandalism by "piggybacked" protocols which permit intruders to achieve a higher level of 
access than was intended to be permitted. 

55 Packet filters are a more sophisticated type of screening that operates on the protocol level. Packet filters are 

generally host-based applications which permit certain communications over predefined ports. Packet filters may have 
associated rule bases and operate on the principle of "that which is not expressly permitted Is prohibited". Public 
networks such as the Internet operate in TCP/IP protocol. A UNIX operating system running TCP/IP has a capacity of 
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64K communication ports. It is therefore generally considered impractical to construct and maintain a comprehensive 
rule base for a packet fitter application. Besides, packet filtering is implemented using the simple Intemet Protocol (IP) 
packet filtering mechanisms which are not regarded as being robust enough to permit the Implementation of an ade- 
quate level of protection. The principal drawback of packet filters is that they are executed by the operating system 
s kernel and there is a limited capacity at that level to perform screening functions. As noted above, protocols may be 
piggybacked to either bypass or fool packet filtering mechanisms and may permit skilled intruders to-access the private 
network. 

The dual homed gateway is an often used and easy to implement alternative. Since the dual homed gateway does 
not forward TCP/IP traffic, it completely blocks communication between the public and private networks. The ease of 

10 use of a dual homed gateway depends upon how it is implemented. It may be implemented by giving users logins to 
the public side of the gateway host, or by providing application gateways, for specific services. If users are permitted 
to log on to the gateway, the firewall security is seriously weakened because the risk of an intrusion increases sub- 
stantially, perhaps exponentially, with each user login due to the fact that logins are a vulnerable part of any security 
system. Logins are often comprornised by a number of known methods and are the usual entry path for intruders. 

15 The alternative Implementation of a dual homed gateway is the provision of application gateways for specific net- 

work services. Application gateways have recently gained general acceptance as a method of implementing internet- 
work firewalls. Application gateways provide protection at the application level and the Transmission Control Protocol 
(TCP) circuit layer. They therefore permit data sensitivity checking and close loopholes left in packet filters. Firewalls 
equipped with application gateways are commonly labelled application level firewalls. These firewalls operate on the 

20 principle of "that which is not expressly permitted is prohibited". Users can only access public services for which an 
application gateway has been installed on the dual homed gateway Although application level firewalls are secure, 
the known firewalls of this type are also inefficient. The principal disadvantage of known application level firewalls is 
that they are not transparent to the user. They generally require the user to execute time-consuming extra operations 
or to use specially adapted network sen/ice programs. For example, in an open connection to the Internet, a user can 

25 Telnet directly to any host on the Internet by issuing the following command: 
Telnet target. machine 

However if the user is behind an application level firewall, the following command must be issued: 
Telnet firewall 

After the user has established a connection with the firewall, the user will optionally enter a user ID and a password 
30 If the firewall requires authentication. Subsequent to authentication, the user must request that the firewall connect to 
the final Telnet target machine. This problem is the result of the way in which the UNIX operating system handles IP 
packets. A standard TCP/1 P device will only accept and attempt to process IP packets addressed to itself. Consequently, 
' if a user behind an application firewall issues the command: 
Telnet target. machine 

3S an IP packet will be generated by the user workstation that is encapsulated with the device address of the firewall but 
with an IP destination address of the target. machine. This packet will not be processed by the firewall station and will 
therefore be discarded because IP packet forwarding has been disabled in the application level firewall. 

Known application level firewalls also suffer from the disadvantage that to date application interfaces have been 
required for each public network service. The known application level firewalls will not support "global sen/ice" or 

40 applications using "dynamic port allocations" assigned in real time by communicating systems. 

Users on private networks having an application level firewall Interface therefore frequently install 'back doors" to 
the public network in order to run services for which applications have not been installed, or to avoid the inconvenience 
of the application gateways. These back doors provide an unscreened, unprotected security hole in the private network 
which renders that network as vulnerable as if there were no firewall at all. 

45 

SUMMARY OF THE INVENTION 

It is an object of the invention to provide an internetwork security gateway which overcomes the known disadvan- 
tages of prior art internetwork security gateways. 
50 it is a further object of the invention to provide an internetwork security gateway which provides application proxy 

flexibility, security and control while permitting users to transparently access public network sen/k:es. 

ft is a further object of the invention to provide an internetwork security gateway which supports any currently 
offered or future network sen/ice. 

It is yet a further object of the invention to provide an internetwork security gateway which supports applications 
ss using port numbers that are dynamically assigned in real time by the communicating systems. 

It is yet a further object of the invention to provide an internetwork security gateway which listens to all communi- 
cations ports in order to detect any attempted Intrusion into a protected network, regardless of the Intruder's point of 
attack. 
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In accordance with a first aspect of the invention there is disclosed a method of providing a secure gateway between 
a private network and a potentially hostile network, comprising the steps of: 

a) accepting from either network alt communications packets that are encapsulated with a hardware destinatbn 
5 address that matches the device address of the gateway; 

b) determining whether there is a process bound to a destination port number of an accepted communrcatbns 
packet; 

c) establishing a first communications session with a source address/source port of the accepted communications 
packet if there is a process bound to the destination port number, else dropping the packet; 

10 d) establishing a second communications session with a destination address/destination port number of the 
accepted communications packet if a first communications session is established; and 

e) transparently moving data associated with each subsequent communications packet between the respective 
first and second communications sessions, whereby the first session communicates with the source and the second 
session communicates with the destinatbn using the data moved between the first and second sessions. 

75 

In accordance with a further aspect of the invention there is disclosed an apparatus for providing a secure gateway 
for data exchanges between a private network and a potentially hostile network, comprising in combination: 

a gateway station adapted for connection to a telecommunications connection with each of the private network 
20 and the potentially hostile network; 

an operating system executable by the gateway statbn, a kernel of the operating system having been modified 
so that the operating system: 

a) cannot forward any communications packet from the private network to the potentially hostile network or 
25 from the potentially hostile network to the private network; and 

b) will accept for processing any communications packet from either of the private network and the potentially 
hostile network provided that the packet Is encapsulated with a hardware destination address that matches 
the device address of the gateway station on the respective networks; and 

30 at least one proxy process executable by the gateway station, the proxy process being adapted to transparently 

Initiate a first communications session with a source of an initial data packet accepted by the operating system 
and to transparently initiate a second communications session with a destination of the packet, and to transparently 
pass a data portion of packets received by the first communications session to the second communications session 
and to pass the data portion of packets received by the second communications session to the first communications 

35 session, whereby the first session communicates with the source using data from the second session and the 

second session communicates with the destination using data received from the first session. 

The invention therefore provides a method and an apparatus which permits a private network to be securely in- 
terconnected with a public or a potentially hostile network. 

40 The method in accordance with the Invention Involves protecting a private network interconnected with a potentially 

hostile network whereby a gateway between the two networks transparently Imitates a host when a communlcatbn 
data packet is received from a client on one of the networks by initiating a communication session with the client. If 
the client is determined to have access rights to the requested service, the gateway station imitates the client to the 
host on the other network by initiating a communications session with the host. Thereafter, data is passed between 

45 the client session and the host session by a process which coordinates communications between the two distinct, 
interdependent communications sessions which proceed between the client and the gateway station and the host and 
the gateway station. 

For instance, using a gateway station in accordance with the Invention as an internetwork Interface, a user on the 
private network can issue the command: 
50 telnet publictarget. machine 

and the command will appear to the user to be executed as if no gateway existed between the networks so long as 
the user is permitted by the rule bases maintained by the private network security administrator to access the public- 
target machine. 

In order to achieve transparency of operation, the gateway station Is modified to accept for processing all IP packets 
55 encapsulated in a network operating system capsule (e.g. an ethernet capsule) having a destination address which 
matches the device address of the gateway station, regardless of the destination address of the IP packet. This mod- 
ification permits the gateway station to provide transparent service to users on either network, provided the users are 
authorized for the sen/Ice. Furthermore, the gateway station in accordance with the invention runs a novel generic 
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proxy which permits it to listen to all of the 64K communlcatjons ports accommodated by the UNIX operating system 
which are not served by a dedicated proxy process. As is well known to those skilled in the art, certain internetwork 
services have been assigned specific ports for communication. Most of the designated ports on the Internet are those 
port numbers In the range of 0-1 K (1.024). Other applications and services use port numbers in the range of 1K to 

s 64K. As noted above, the gateway station in accordance with the Invention "listens" to all 64K ports. The generic proxy 
process which is executed by the gateway station responds to any request for service that is not sen/ed by a dedicated 
proxy process, regardless of the destination port number to which the request for service is made. Every request for 
service may therefore be responded to. When an intruder attacks a private network, the intruder must attempt to access 
the network through the gateway station. Most firewalls listen to only a limited subset of the available communications 

10 ports. An intruder can therefore probe unattended areas of the firewall without detection. The gateway station in ac- 
cordance with the invention will, however, detect a probe on any port and may be configured to set an alarm condition 
if repeated probes are attempted. The gateway station in accordance with the invention can also be configured to 
perform data sensitivity screening because all communications packets are delivered by the kernel to the application 
level where the data portion of each packet is passed from one in progress communications session to the other. Data 

IS sensitivity screening permits the detection of sophisticated intrusion techniques such as piggybacked protocols, and 
the like. 

The apparatus in accordance with the invention is modeled on the concept of a bastion host, preferably configured 
as a dual home firewall. The apparatus in accordance with the invention may also be configured as a multiple-home 
firewall, a single-home firewall or a screened subnet. Regardless of the configuratbn, the apparatus preferably com- 

20 prises a UNIX station which executes a modified operating system in which IP packet forwarding is disabled. The 
apparatus in accordance with the invention will not forward any IP packet, process I CMP direct messages nor process 
any source routing packet between the potentially hostile network and the private network. Without IP packet forward- 
ing, direct communication between the potentially hostile network and the private network are disabled. This is a com- 
mon arrangement for application level firewalls. The apparatus in accordance with the invention is, however, configured 

25 to provide a transparent interface between the interconnected networks so that clients on either network can run stand- 
ard network service applications transparently without extra procedures, or modifications to accomplish communica- 
tions across the secure gateway. This maximizes user satisfaction and minimizes the risk of a client establishing a 
"back door" to a potentially hostile network. 

The methods and the apparatus in accordance with the invention therefore provide a novel communications gate- 

30 way for interconnecting private and public networks which permit users to make maximum use of public services while 
providing a tool for maintaining an impeccable level of security for the private network. 

BRIEF DESCRIPTION OF THE DRAWINGS 

35 A preferred embodiment of the invention will now be further explained by way of example only and with reference 

to the following drawings, wherein: 

FIG. 1 is a schematic diagram of a preferred configuration for an apparatus in accordance with the invention for 
providing a secure gateway for data exchanges between a private network and a potentially hostile network; 
40 FIG. 2 is a schematic diagram of an IP header, a TCP and a UDP header In accordance with standard TCP/IP 

format; 

FIG. 3 is a schematic diagram of ethernet encapsulation in accordance with RFC 894; 

FIG. 4 is a schematic diagram of a communications flow path between a gateway station in accordance with the 
invention, a client on a private network and a host on a public network; 
45 FIG. 5 Is a flow diagram of a general overview of TCP routing by the kernel of a UNIX station in accordance with 
the prior art; 

FIG. 6 is a flow diagram of a general oven/iew of TCP routing by a modified UNIX kernel in accordance with the 
invention; 

FIG. 7a is a first portion of a flow diagram of a general oven/iew of the implementation of the invention at the 
so application level of a gateway station; and 

FIG. 7b is a second portion of the flow diagram shown In FIG. 7a. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

55 Most UNIX hosts communicate using TCP/IP protocol. The preferred embodiment of the invention is therefore 

constructed from a UNIX station having a UNIX operating system. While the preferred embodiment of the invention 
described below Is explained with particular reference to the UNIX environment, it Is to be welt understood by those 
. skilled in the art that the principles, concepts and methods described may be readily adapted to function with other 
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Internetwork communication protocols in other operating environments. 

FIG. 1 shows a schematic diagram of a private network 10, considered a secure network, connected to a public 
network 12, considered a potentially hostile network, through a gateway station 14 In accordance with the invention. 
In this configuration, the gateway station 14 is configured as a dual homed bastion host which provides a secure 

s interface between the private network 10 and the public network 12. 

The private network 1 0 includes a multiplicity of users 16, commonly referred to as clients, and one or more servers 
such as the name, mail and news server 1 8. The public network 1 2 may be, for example, the Internet which comprises 
hundreds of thousands of interconnected machines. The connection between the private network 10 and the public 
network 1 2 passes through a router 20 that relays packets over a communications line 22 which may be an ISDN, 56K 

10 level BPS, T1 or a dial up connection depending on the private network's arrangement with a public network service 
provider. All of the private network 10 on the private side of the gateway station 14 is unavailable to the public and Is 
not advertised on the public network 12. The gateway station 14 does not broadcast any routes to the public network 
12 and the gateway router 20 should not have any static routes defined for the private network 1 0. The private network 
10 is therefore "routing invisible" to the public network 12. The hosts in the private network 10 can use private network 

IS addresses as defined In RFC- 1597. 

As can be seen in FIG. 1 , the gateway station has one device address for its communications connection with the 
private network 10 and another device address for Its communications connection with the public network 12. The 
device address on the public side of the gateway station 14 must be advertised on the public network 12. The private 
network 10 may also include one or more public servers 24 which may be accessed directly from the public network 

20 12. The public servers 24 must have addresses which are registered and published on the public network 12. The 
private network 1 0 can only access the public servers 24 through the gateway station 1 4. The public server 24 is treated 
like any other sen/er on the public network 12 when a user 16 initiates communication from the private network 10. 

The gateway station 14 Is preferably a UNIX station, well known In the art. The kernel of the operating system of 
the gateway station 1 4 is modified to disaible ail IP forwarding, source routing and IP redirecting functions. It is therefore 

2S impossible to have communication data packets flow directly through the gateway station 14. As will be explained 
below in some detail, these functions have been replaced with processes which ensure that all communications data 
packets from the private network 10 to the public network 12, or vice versa, are properly authenticated. 

Public network communications are typically in TCP/IP format. FIG. 2 shows a schematic diagram of an IP header 
26, a TCP header 28 and a UDP (User Datagram Protocol) header 30. Each IP header includes a 32-bit source IP 

30 address 32 and a 32-bit destination IP address 34. Each TCP header and each UDP header Include a 16-blt source 
port number 36 and a 16-bit destination port number 38. Each communication data packet therefore includes a source 
address/source port number and a destination address/destination port number, in accordance with this communica- 
tions protocol which is well known in the art. In addition to the TCP/IP communications protocol, local area networks 
often operate using ethernet network control software which handles intranetwork communications. In accordance with 

3S ethernet protocol, TCP/IP packets are encapsulated with an ethernet encapsulation packet to facilitate routing and 
ensure error free transmission. 

FIG. 3 shows a schematic diagram of an ethernet encapsulation packet In accordance with RFC 894. Each en- 
capsulation includes an ethernet destination address 40, an ethernet source address 42 and a check sum 44 for facil- 
itating error detection and correction. 

40 FIG. 4 Illustrates schematically a typical communications session between a client station 1 6 on the private network 

1 0 and a public host 46 on the public network 1 2. All communications between the networks are handled by the gateway 
station 1 4. When a client 16 wishes to communicate with the public network 1 2, such as In accessing a public host 46, 
the client 16 Issues a network command as If the client were not behind a firewall. For instance, client 16 may issue 
the command: 

45 Telnet Target. Machine 

The private network 10 is configured so that all packets directed to the public network 12 are encapsulated with the 
ethernet destination address (1 92. 1 68.77. 1 ) of the gateway station 1 4. A TCP/LP packet encapsulated with the ethernet 
destination address of the gateway station 14 is therefore dispatched by the client 16. A normally configured UNIX 
device will not accept for processing TCP/IP packets which do not have an IP destination address equal to its own IP 

so address. The kernel of the operating system of the gateway station 1 4 is modified so that the gateway station 14 will 
accept for processing any TCP/IP packet having an encapsulation destination address 40 that matches the device 
address of the gateway station 1 4. When the gateway station 1 4 receives the client packet containing the Telnet com- 
mand, a process is Initiated on the gateway station 14 which responds to the client 16 to establish a communication 
session 17 as if it were the target machine. As will be explained below In detail, the process then authenticates the 

ss client's authorization to access the requested service and if the client 16 Is determined to have the required authori- 
zation, the gateway station 14 Initiates a second communications process 19 with the remote host 46 in which the 
gateway station 1 4 simulates the client 1 6 without revealing the client address. Once the two communication sessbns 
17,19 are operative, communication is effected between the client 1 6 and the host 46 by passing communication data 
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between the two interdependent communication sessions. This is accomplished by a process that operates at the 
application level on the gateway station 14, as will be explained in detail below. The process accepts communication 
packets passed from the IP layer of the gateway station 14 by the modified operating system kernel, extracts the data 
from the packets and passes the data to the appropriate interdependent communications sessbn. Data sensitivity 

s checking is preferably performed before packet data is released to the appropriate interdependent communications 
session. Data sensitivity checking can prevent protocol piggybacking and other sophisticated intrusion techniques. 
Data sensitivity checking is performed using application level algorithms, some of which are well known in the art, but 
new algorithms are still being developed. All of this processing Is completely transparent to client 16 because all com- 
munications appear to be direct to host 46. Host 46 likewise cannot detect that communications with client 16 are not 

10 direct. 

FIG. 5 shows a general overview of the way in which a prior art UNIX operating system kernel handles data 
communication packets. In a first step 48, a data packet is received by a UNIX workstation (not illustrated). The en- 
capsulation address (typically an ethernet encapsulation destination address 40, see FIG. 3) is checked to determine 
whether it matches a device address of the station in step 50. If the addresses do not match, the packet is dropped in 

IS step 52. If the addresses match, the IP destination address 34 (see FIG. 2) is examined to determine whether it matches 
an IP address of the station in step 54. If a match is found, the destination port is examined in step 56 to determine 
whether there is a process bound to a communications port indicated as the destination port by a TCP or UDP portion 
of the packet that indicates the destination port number 38 (see FIG. 2). If no process is bound to the destination port, 
the packet is dropped In step 58. OthenA/ise, the-kernel starts a TCP or a UDP session with the IP source In step 59, 

20 and delivers the packet to the bound process in step 60. Thereafter, the packet is processed by the process bound to . 
the destination port in step 61 , in a manner well known in the art. If the IP destination address does not match any IP 
address for the station, the kernel attempts to forward the packet in step 62 by consulting routing tables in a process 
which is also well understood by those skilled in the art. 

FIG. 6 is a flow diagram of a general overview of packet processing by a UNIX operating system kernel nrKxlified 

2S in accordance with the invention. In order to understand the process completely, it is important to understand that the 
gateway station 14 (see FIG. 1) is configured by a systems administrator using configuration programs supplied with 
the gateway station 1 4. When the gateway station 1 4 is initialized, a system configuration file is examined to determine 
what network services are to be supported by the gateway station 14. In order to maximize performance efficiency of 
the gateway station 14, commonly used sen^ices are supported by processes adapted to most efficiently handle com- 

30 municatlons for each respective service. These processes are called "proxies". On system initialization, any proxy 
given operating rights by the system administrator is said to "bind" to the port to which the proxy has been assigned. 
Thereafter, the process is said to be "bound* to the port. In accordance with the invention, the gateway station 14 is 
also supplied with a generic proxy that is assigned to port 5981 3. This port assignment is an arbitrary assignment and 
another port number may be used. When the gateway station 14 is initialized, the generic proxy binds to port 59813, 

35 provided that the systems administrator has given it operating rights to do so. 

With reference again to FIG. 6. the modified kernel receives a packet in step 64 in the same manner as an un- 
modified prior art kernel. The packet is examined to determine whether the encapsulation destination address 40 (see 
FIG. 3) equals the device address of the gateway station 14 in step 66. If no match is found, the packet is dropped In 
step 68. If the encapsulation destination address 40 equals the device address of the gateway station 1 4, the destination 

40 port of the TCP or UDP portion of the packet is examined to determine the destination port number 38 (see FIG. 2) 
and whether there is a process bound to that destination port in step 70. The IP destination address 34 of the packet 
is ignored while making this determination. If no proxy process is bound to the destination port of the data packet, the 
kernel checks port 5981 3 to detennine whether the generic proxy process is bound to that port In step 72. If the generic 
proxy process is not bound to port 59813, the packet is dropped in step 74. If it is determined that a proxy process is 

45 bound to a port which can sen/e the destination port number 38 in either of steps 70 or 72, a session (TCP or UDP) is 
initiated with the packet source IP address 32 in step 76 and in step 78. the packet is delivered by the kernel to the 
proxy process designated in steps 70, 72. This critical modification of the operating system kernel permits the kernel, 
within the permission boundaries imposed by a systems administrator, to "listen" to all 64K ports available for commu- 
nication. Appendix A attached hereto is a printed listing of the modified source code in the kernel. 

50 FIGs. 7a and 7b show a flovy diagram of a general oven/iew of processing at the application or proxy level of 

operations on the gateway station 1 4 in accordance with the inventksn. While this general overview shows a simple 
single user process, it will be understood by those skilled in the art that all proxies In accordance with the inventbn 
are multi-tasking proxies which can sen/ice a plurality of usei^ simultaneously by creating 'sockets' for multi-task 
organization In a manner well understood in the art. 

55 in step 80 of FIG. 7a. the proxy is initialized. The proxy may be any one of a number of proxies. As noted above, 

in order to maximize the performance of a gateway station 14, certain customized proxies handle certain sen/ices. In 
particular, the preferred embodiment of the invention includes at least the following customized proxies: 
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proxy - Telnet (port 23) 
proxy -FTP (port 21) 
proxy - Gopher (port 70) 
proxy - TCP (port xxx or port 5981 3) 
5 UDP - relay (port xxx or port 5981 3) 

These custom proxies are adapted to most efficiently handle the services with which they are associated. Other 
custom proxies can, of course, be added to the proxy processes which are bound to ports on the gateway statbn 14. 
If a data packet has a destination port number 38 that is determined to point to a port to which a custom proxy process 

10 is bound, the pacl^et is passed by the kernel to that custom proxy process in step 82 where the custom proxy process 
waits for packets to arrive on the port to which it is bound, represented by "port xxx" in the diagram. As explained above 
with relation to FIG. 6, if the destination port number 38 of a data packet does not point to a port to which a custom 
proxy process is bound, the packet is delivered by the kernel to port 5981 3. Proxy 5981 3 is the generic proxy process 
which is designated to handle any request for service for which a customized proxy process does not exist. Although 

IS the generic proxy process is literally bound to a specific port, such as port 59813, in combination with the modified 
kernel it is operationally bound to every port to which a custom proxy process is not bound. Thus a versatile gateway 
station 14 which can handle any TCP/IP communications session is provided. 

When the packet is passed by the kernel in step 82 to a bound proxy process, the proxy process determines 
whether the source IP address 32 is permitted to communicate with the destination IP address in step 64. This Is 

20 accomplished by reference to a rule base maintained by a systems administrator of the private network. Rule bases 
are well understood in the art and their structure is common general knowledge. Preferably the rule base in accordance 
with the preferred embodiment of the invention includes a minimum of the following elements in the rule set to determine 
authorization: 

25 IP source address 

IP destination address 

Service required (Telnet, Archie, Gopher, WAIS, etc.) 

User ID 

Password 

30 

If the IP source address 32 is determined in step 84 not to be authorized for the requested service, the gateway 
station 14 drops the communication session in step 86. Othenwise, the proxy determines whether user level authenti- 
cation is required in step 88. User level authentication is also under the control of the systems administrator. For 
example, the systems administrator may not require any authentication of users on the private network on the theory 

35 that the private network is only accessible to secure individuals. On the other hand, the systems administrator has the 
option of requiring user level authentication for all users or any selected user. Even if user level authentication is 
required, in accordance with the preferred embodiment of the invention a user can authenticate and enable transparent 
mode wherein authentication need not be repeated for subsequent sessions for as long as authentication is maintained, 
as will be explained below in more detail. 

40 If user level authentication is determined to be required in step 88, the proxy process authenticates the user in. 

step 90. Authentication is preferably accomplished by requiring the user to enter an identification code and a password 
in a manner well known in the art. The identification code and the password entered are verified In a user authentication 
data base (not illustrated), the structure and operation of which are also well known in the art. In step 92, the gateway 
station 14 determines whether the user has authenticated by referencing the user authentication data base. If the user 

^ is not successfully authenticated, the session is dropped In step 94. If it is determined that no authentication is required 
in step 86, or if the user successfully authenticates in step 92. the IP destination address 34 of the packet is examined 
to determine if it is an IP address of the gateway station 14 in step 96 (see FIG. 7b). Step 96 is preferably only executed 
by the custom proxies for Telnet. FTP and Gopher, as will be explained below in detail. If the IP destination address 
34 of the packet corresponds to an IP address of the gateway station 14, the gateway station starts a session to permit 

50 the user to enable or disable transparent mode in step 98, as will also be explained below In step 100, the proxy 
process waits for communication packets to arrive on the port "xxx", which is the port on which the communications 
session was initiated, where it is delivered by the nrrodified kernel. When a communications packet arrives, it is proc- 
essed by the proxy process to permit the IP source to enable or disable transparent mode in step 1 01 . Thereafter, the 
proxy process determines in step 102 whether the session has ended and if not it returns to step 100 to wait for a data 

55 packet to arrive on the port. Otherwise it returns to step 80 (see FIG. 7a) to initialize for a new session. If the IP 
destination address 34 of the packet does not match an IP address of the gateway station 14, a second communk;ation 
session is established In step 104. The second communication session is established between the gateway station 14 
and the IP destination address 34yTCP destination port number 38 indicated by the packet. The second communfcation 
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session established in step 104 is established exclusively by the proxy process, all operations being completely trans- 
parent to the IP source. Once the second communications session is established, the proxy process waits for data 
packets from each session In step 106. The data packets are delivered by the kernel to the proxy process which relays 
the data portion of each packet from one session to the other so that the two interdependent sessions appear to the 

s IP source and to the IP destination to be one direct session between a client source and a host destination. Data 
sensitivity checking may be accomplished by the proxy process before relaying the data from one session to the other 
Data sensitivity checks ensure that the gateway station 14 provides a very secure interface that is, for all practical 
purposes, impossible for intruders to breach. 

Thus a completely transparent firewall is provided which permits a security administrator to exercise potent control 

10 over the access to the private network. In step 108, the proxy process checks to determine whether either of the 
sessions is terminated. If either session terminates, the other session Is likewise terminated and the proxy process 
retums to step 80 for Initialization. The custom proxy processes in accordance with the Invention are public domain 
proxy processes which have been modified to cooperate with the kernel in accordance with the methods of the invention. 
Appendix B attached hereto is a printed listing of the modifications made to the public domain proxies for the Telnet 

15 proxy and the FTP proxy. The principles illustrated may be applied by a person skilled in the art to any public domain 
or proprietary proxy process. 

One of the significant features of the invention Is the fact that the proxy process which executes in accordance 
with the flow diagram shown in FIG. 7 may be the generic proxy process, whteh can handle any request for service for 
which a customized proxy process does not exist. . The generic proxy process In accordance with the inventk^n Is a 

20 proprietary TCP proxy. A complete source code listing of the proxy TCP is attached hereto as Appendix D. As explained 
above, in the preferred embodiment of the Invention, the generic proxy process is bound to port 5981 3, but the specific 
port to which the proxy process is bound is substantially Immaterial. The generic proxy process increases many fold 
the versatility of gateway station 1 4 and permits the gateway station to handle any communications session, including 
sessions which use port numbers dynamically allocated in real time by the communicating systems. It also provides a 

25 secure gateway which is adapted to support, without modification, new servtee offerings on the public network 12. If a 
new service offering becomes a popular service tor which there is demand, a customized proxy can be written for that 
service. During development and testing of the customized proxy, however, the new service can be supported by the 
generic proxy process. Thus a versatile, secure Internetwork gateway Is provided which supports any known or future 
sen/ice available on a public network. 

30 The gateway Is completely transparent to users in all instances except when a user authentication is requested. 

In that instance, users may be authorized to enter authentication requests to enable a transparent mode of operation 
wherein subsequent sessions require no further authentication, and the gateway station 14 is completely transparent 
to the user. In accordance with the preferred embodiment of the Invention, transparent mode can be enabled using a 
Telnet session, an FTP session or a Gopher session. To enable transparent mode using the Telnet program, a Telnet 

35 session is started with gateway station 1 4 as follows: 

your-host% telnet gatewaystation.company.com 

Trying 198.53.64.2 

Connected to gatewaystation.company.com 
40 Escape character is '^Y 

gatewaystation proxy-telnet ready: 

Username: You 

Password: xxxxxxx 

Login Accepted 
45 proxy-telnet> enable 

proxy-telnet> quit 

Disconnecting 

Connection closed by foreign host. 
your-host% 

so 

A user may also authenticate and enable transparent mode using the FTP program as follows: 

your-host% FTP gateway8tation.company.com 

Connected to gatewaystatlon.company.com 
ss 220 gatewaystation proxy-FTP ready: 

Name (gatewaystation.company.com:you): You 
331 Enter authentication password for you 
Password: xxxxxxx 
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230 User authentication to proxy 
ftp > quote enable 
Transparent mode enabled 
ftp > quit 
s your-host% 

In the preferred embodiment of the invention, a proprietary Gopher proxy is enabled to automatically initiate trans- 
parent mode after the user has successfully authenticated to the gateway station 14 by entering a valid user identifi- 
cation and password, whenever a Gopher session is requested and user authentication Is required. This user authen- 

10 tication capability is a novel feature for a Gopher proxy The proprietary source code for the novel Gopher proxy is 
appended hereto as Appendix C. 

The modes for implementing transparent mode are, of course, arbitrary and may be redesigned or reassigned to 
other programs or proxies as those skilled in the art deem appropriate. Once the transparent mode is enabled, an 
authentication directory is updated by creating a file entry for the source IP address 32. The authentication files Include 

15 a creation time variable which is automatically set to the system time when the file is created. This creation time variable 
Is used to track the time of authentication. The files also include a last modification time variable which is automatically 
updated by the system each time the file is modified. By rewriting the authentication file each time a user initiates a 
new communications session through the gateway station 1 4 the time of last use of the gateway station can be tracked. 
This authentication directory Is inspected periodically and user files are deleted from the authentication directory based 

20 on any number of predetermined criteria. In accordance with the preferred embodiment, the user file Is deleted from 
the authentication directory if the user has not initiated a communications session through the gateway station for a 
period of time predefined by the systems administrator. In addition, the user file may be deleted from the authentication 
directory at a predetermined time of day defined by the system administrator It is therefore possible to have the au- 
thentication of all users of the gateway station 14 revoked at a specified time of day, such as the end of the business 

25 day. This further fortifies the security of the gateway. 

It is apparent that a novel and particularly invulnerable gateway has been invented. The gateway is efficient as 
well as secure. It will be readily apparent to those skilled in the art that modification may be made to the preferred 
embodiment described above without departing from the scope of the invention as expressed In the appended claims. 

30 



APPENDIX A 



40 



MODIFIED UNIX KERNEL SOURCE CODE LISTING 

45 



SO 



55 
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/* 

* Copyright (c) 1982, 1986, 1988, 1993 

* Regents of the University of California. All rights reserved. 

* ' 

* Red .ribution and use in sovirce and binary forms, with or without 

* modification, are permitted provided that the following conditions 

* are met: 

* 1. Redistributions of source code must retain the above copyright 

* notice, this list of conditions and the following disclaimer, 

* 2. Redistributions in binary form must reproduce the above copyright 

* notice, this list of conditions and the following disclaimer in the 
documentation and/or other materials provided with the distribution. 

* 3. All advertising materials mentioning features or use of this software 

* must display the following acknowledgement: 

* This product includes software developed by the University of 

* California, Berkeley and its contributors. 

* 4. Neither the name of the University nor the names of its contributors 

* may be used to endorse or promote products derived from this software 

* without specific prior written permission. 
* 

* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS '*AS IS ' ' AND 

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO. THE 

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 

* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 

* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 

* OR SERVICES; LOSS OF USE. DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 

* OUT OF THE USE OF THIS SOFIWARE, EVEN IF ADVISED OF THE POSSIBILITY OP 

* SUCH DAMAGE. 
* 

* e(#)ip_input.c 7.19 (Berkeley) 5/25/91 
*/ 

# include "param.h" 

# include "systm.h" 

# include "malloc.h" 

# include -mbuf.h" 

#include -domain. h- 

# include "protosw^h" 

# include "socket. h* 

# include "errno.h" 

•include "time.h" 

♦include -kernel. h" 

♦include • . ./net/If .h" 
♦include • . ./net /route. h" 

♦include "in.h- 
♦include "in^systm.h" 
♦include "ip.h- 
♦include -io-pcb. fa- 
mine lude 'in^var.h" 
♦include -ip.var.h" 
♦include "ip_icmp.h- 

♦ if defined<MILKYWAyjH) || defined (MILKYWAY.VPN) 

♦ include -milkyway/vpn_data.h- 
♦define GATEWAY 

♦endif 

/* the following are in in_proto.c for easy con fig -dependence */ 
extern int ipf orwarding; /• act as router? •/ 

extern int ipf orward_srcrt ; /* forward src-routed packets? •/ 
extern int ipsendredirects; 
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«i£aef GWSOREEN - 

extern .void (*ip_forward_fn) P( (struct mbuf int) ) j 

#en,di£ 

void ir forward P( (struct mbuf *, int) ) ? 

fifdef DEBUG 

int ipprintfs = 1; 

ftendif 

extern struct domain inetdomain? 

extern struct protosw inetsw[]; 

u.char ip_protox C IPPROTO_MAX J ; 

int ipqtnaxlen = IFQ.MAXLEN; 

struct in_ifaddr *in_ifaddr; 



/* first inet address */ 



* We need to save the IP options in case a protocol wants to respond 

* to an incoming packet over the same route if the packet got here 

* using IP source routing. This allows connection establishment and 

* maintenance when the remote end is on a network that is not known 

* to us. 

•/ 

int 

static 



ip_nhops = 0; 
struct ip_srcrt { 



struct 
char 
char 
struct 
) ip^srcrt; 



in_addr dst; /* 
nop; /* 
srcopt(IPOPT_OFFSET +1]; / 



final destination */ 
one NOP to align */ 
OPTVAL, OLEN and OFFSET 



in_addr route (MAX.IPOPTLEN/ si zeof (struct in_addr)]; 



•ifdef GATEWAY 
extern int i f. index; 
u_long • ip_i f mat r ix ; 
tendif 



/* 

* IP initialization: fill in IP protocol switch table. 

* All protocols not iinplemented in kernel go to raw IP protocol handler. 
*/ 

ip^initO 
{ 

register struct protosw *pr; 
register int i; 

pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW) ; 
if (pr == 0) 

panicCip.inif) f 
for (i = 0; i < IPPROTO_MAX; i++) 

ip_protox[i] = pr - inetsw; 
for (pr = inetdomain. donuprotoBw; 

pr < inetdomain. donuprotoswNPROTOSW; pr++) 

if (pr->pr_domain->dom_f amily == PF_INET && 

pr->pr_protocol && pr->pr_protocol != IPPROTO^RAW) 
ipj>rotox(pr->pr_protocol) s pr - inetsw; 
ipq.next = ipq.prev = &ipq; 
ip_id = time.tv^sec & Oxffff; 
ipintrq.ifq^maxlen = ipqmaxlen; 
« ifdef GATEWAY 

i = (if_index + 1) * (if^index + 1) ♦ sizeof (u^long) ; 
if ( (ip.ifmatrix = (u_long •) malloc(i, M.RTABLE, M.WAITOK)) == 0) 
panic ("no memory for ip_ifmatrix") ; 

#endif 
} 

struct ip *ip_reass{); 

struct sockaddr_in ipaddr « ( sizeof (ipaddr) , AF_INET ); 
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struct roitte ipforward_rt; 



* Ip i-out routine. Checksum and byte swap header. If fragmented 

* try J reassemble. Process options. Pass to next level. 
V 

ipintrO 
{ 

register struct ip *ip; 
register struct nibuf *m; 
register struct IpQ *fp; 
register struct in_lfaddr *ia; 
int hlen« s; 
struct if net ♦ifp; 

next: 

/• 

* Get next datagram off input queue and get IP header 

* in first mbuf . 
♦/ 

s s spl imp ( ) ; 
IF.DEQUEUE(tipintrq,m) ; 
splx(s) ; 
if (m « 0) 

return; 

#ifdef DIAGNOSTIC 

if ((m->nuflags & m.pkthdr) == 0) 
panic ("ipintr no HDR»); 

«endif 

if p=m->iiLPkthdr . rcvif ; 



* If no IP addresses have been set yet but the interfaces 

* are receiving, can't do anything with incoming packets yet. 
*/ 

if (in^ifaddr == NULU) 

goto bad; 
ipstat . ips_total++ ; 
if (m->n\_len < si2eof (struct ip) && 

(m = xru?ullup(m, sizeof (struct ip))) ==0) { 

Ipstat . ips„toosmall+-»-; 

goto next; 

> 

ip = mtod(m, struct ip ♦) ; 

If (ip->ip_v IPVERSION) { 

/ * ipstat . ips_badver ++ ; * / 
goto bad; 

> 

hlen = ip->ip_hl « 2; 

if (hlen < sizeof (struct ip) ) { /• miniin\)ni header length */ 
ipstat . ips_badhlen++ ; 
goto bad; 

) 

if (hlen > m->nulen) { 

if ((m = nu?ullup(m, hlen)) == 0) { 
ipstat . ips_badhlen++; 
goto next; 

} 

ip = mtodCm, struct ip *); 

) 

if (ip->ip_sum = in_cksum(m, hlen)) ( 
ipstat . ips_badsum++; 
goto bad; 
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) . . 
/* 

c * Convert fields to host representation. 

* V 

NTOHS ( ip->ip_len) ; 

if (ip->ip_len < hlen) { 

ipstat. ips_badlen++; 
goto bad; 

> 

10 NTOHS ( ip->ip_id) ; 

NTOHS(ip->ip_of f ) ; 

/♦ 

* Check that the amount of data in the buffers 

* is as at least much as the IP header would have us expect. 
,5 ♦ Trim mbufs if longer than we expect. 

* Drop packet if shorter than we expect. 
V 

if (m->nupkthdr.len < ip->ip_len) ( 
ipstat . ips_tooshort++ ; 
goto bad; 

if (m->nup3«thdr.len > ip->ip_len) { 

if (m->nulen « m->nupkthdr .len) { 
m->m_len = ip->ip_l6n; 
m->irupkthdr .len = ip->ip_len; 

) else 

in_adj(in, ip->ip_len - in->nu>^thdr . len) ; 

25 } 
/* 

* Process options and, if not destined for us, 

* ship it on. ip_dooptions returns 1 when an 

* error was detected (causing an icmp message 

* to be sent and the original packet to be freed) . 
*/ 

ip nhops = 0 ; / * for source routed packets * / 

if^ihlen > sizeof (struct ip) && ip^dooptions (m) ) 
goto next; 

/* 

35 * Check our list of addresses, to see if the packet is for us. 

V 

for (ia = in_ifaddr; ia; ia = ia->ia_next) ( 
#define satosin(sa) ((struct sockaddr.in *)(sa)) 

if (IA^SIN(ia)->sin_addr.s_addr == ip->ip_dst. s_addr) 
40 goto ours; 

if ( 

# if def DIRECTED JROADCAST 

ia->ia_ifp == m->n\_pkthdr .rcvif && 

tendif 

(ia->ia_ifp->if_flags & IFF JROADCAST) ) { 
45 u_long t; 

if (satosin(fitia->ia_broadaddr) ->sin_addr.s_addr 
ip- > iP-ds t . s_addr ) 
goto beast; 

if (ip->ip_dst.s_addr == ia->iawnetbroadcast.s_addr) 
goto beast; 

50 /* 

* Look for all-0*s host part (old broadcast addr) , 

* either for subnet or net. 
*/ 

t s ntohl(ip->ip_dst.s_addr) ; 

55 
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if (t == ia->ia_s\ibnet) 

goto beast; 
if <t == ia->ia_net) 

goto beast; 

) 

) 

tifdef MULTICAST 

if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 

struct injnulti *irun; 
/* tifdef MROUTING */ 

extern struet socket *ip_mrouter? 

if (ip_mrouter) { 
/♦ 

* If we are acting as a multicast router, all 

* incoming multicast packets are passed to the 

* kernel-level multicast forwarding function. 

* The packet is returned (relatively) intact; if 

* ip_mforward() returns a non-zero value, the packet 

* must be discarded, else it may be accepted below. 
* 

* (The IP ident field is put in the same byte order 

* as expected when ip.mforward() is called from 

* ip_output ( ) . ) 
*/ 

ip->ip_id = htons(ip->ip_id) ; 

if (ip_mforward{ip, m->nupkthdr. rcvif , m) != 0) { 
m_f reem(m) ; 
goto next; 

) 

ip->ip_id = ntohs(ip->ip.id) ; 
/* 

* The process -level routing daemon needs to receive 

* all multicast IGMP packets, whether or not this 

* host belongs to their destination groups. 
*/ 

if (ip->ip_p == IPPROTO.IGMP) 
goto ours; 

} 

/* #endif •/ 

/* 

* See if we belong to the destination multicast group on the 

♦ arrival interface. 
♦/ 

IN_U)OKUP__MULTI ( ip->ip_dst, m->m_pkthdr , rcvif , inm) ; 
if (inm == NULL) { 

m^freem(m) ; 

goto next; 

) 

goto ours; 

) 

#endif 

if (ip->ip.dst.s_addr (u.long) INADDR^BROADCAST) 

goto beast; 
if (ip->ip.dst.s_addr inaddr_any) 
goto ours; /* beast? ♦/ 

#if defined (MILKYWAY_BH) 
/• mcr - 94/10/11 

Do not forward and simply give the packet to the upper layer 
Just to see how it goes 

*/ 

«if defined (MILKYWAY.VFN) 

/* but we need to be a bit smarter for VPN */ 
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10 



IS 



20 



i f (.vpn_f orward (m) ) { 

goto next; 
) else ( 

goto ours; 



#endi f 
«else 



* Not for us; forward if possible and desirable. 



if (ipforwarding ==0) { 

ipstat. ips_cantforward++; 
m_freem(xn) ; 

) else 
«iedef GWSCREEN 

<*iP-forwardLfnJ (m, 0); 

ielse 

ip_f orward (m, 0); 

iendif 

goto next; 
#endif /* MILKYWAYJH */ 



beast : 



/* set the BCAST bit on packets destined to an IP broadcast address */. 
in->n^flags |= M_BCAST; 



ours: 



25 



30 



35 



40 



45 



found: 



* If offset or IP.MF are set, must reassemble. 

* Otherwise, nothing need be done. 

* (We could look in the reassembly queue to see 

* if the packet was previously fragmented, 

* but ifs not worth the time; just let them time out.) 
*/ 

if (ip->ip_off t- IP^DF) ( 

if (m->rn_flags & M_EXT) { /* XXX */ 

if ((m = m_pullup(m, sizeof (struct ip) ) ) 01 { 
ipstat . ips_toosmall++ ; 
goto next; 

ip = mtod(m, struct ip ^); 

) 

/* 

* Look for queue of fragments 

* of this datagram. 
*/ 

for (fp = ipq.next; fp != &ipq; fp = fp->next) 
if (ip->ip_id == fp->ipq_id && 

ip->iP-src.s_addr == fp->ipq_src . s_addr && 
ip->ip_dst.s_addr == fp->ipq_dst .s_addr 
ip->iplp fp->ipq_p) 
goto found; 

fp = 0; 



so 



55 



* Adjust ip_len to not reflect header, 

* set ip_mff if more fragments are expected, 

* convert offset of this to bytes, 
*/ 

ip->ip_len -= hlen; 

((struct ipasfrag *) ip) ->ipf_mf f = 0; 
if (ip->ip_off & 1P.MF) 

((struct ipasfrag *) ip) ->ipf_mf f = 1; 
ip->ip_off «= 3; 
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/* 

* If datagram marked as having more f ragfments 

* or if this is not the first fragment, 

* attempt reassembly; if it succeeds, proceed. 
*/ 

if (((struct ipasfrag *) ip) ->ipf_mf f I I ip->iP_off) { 
ipstat. ips_fragments++; 
ip = ip_reass( (struct ipasfrag *)ip. fp) ; 
if (ip ==0) 

goto next; 
eX S6 

ipstat. ips_reasseinibled++j 
m B dtom(ip); 

} else 

if (fp) 

IS ip_freef (fp); 



10 



) else 



ip->ip_len hlen; 



/* 

* Switch out to protocol's input routine. 

20 */ 

ipstat. ips_delivered++; 

(♦inetsw(ip_protox[ip->ip_pl ] .pr^input) (m, hlen) ; 
goto next; 

bad: 

n\_freem(m) ; 
25 goto next; 

/* 

* Take incoming datagram fragment and try to 

* reassemble it into whole datagram. If a chain for 

* reassembly of this datagram already exists, then it 
30 * is given as fp; otherwise have to make a chain. 

♦/ 

struct ip * 
ip_reass(ip, fp) 

register struct ipasfrag *ip; 
register struct ipq *fp; 



35 i 



40 



45 



register struct mbuf *m = dtom(ip); 

register struct ipasfrag *q; 

struct mbuf *t; 

int hlen = ip->ipjil « 2; 

int i, next; 

/* 

* Presence of header sizes in nibufs 

* would confuse code below. 
♦/ 

m->iiL.<lata += hlen; 
m->n\_len -= hlen; 



* If first fragment to arrive, create a reassembly Queue. 
*/ 

if (fp == 0) { 

if ((t = m_get(M_DONTWAIT, MT_FTABLE) ) == NULL) 
50 ' goto dropfrag; 

fp = mtod(t, struct ipq *); 
insque(fp, &ipq) ; 
fp->ipq_ttl = IPFRAGTTL; 
fp->ipq_p = ip-'>ip_p; 
fp->ipq_id = ip->ip_id; 

ss 
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fp->ip<L.next = fp->ipq_prev = (struct ipasfrag *)fp', 
fp->ipq_src = ((struct ip * ) ip) ->ip_src; 
fp->ipq_dst s ((struct ip *) ip) ->ip.<3ist; 
q = (struct ipasfrag *}fp; 
goto insert; 



/* 

♦ Find a segment which begins after this one does. 
70 ♦/ 

for (q s fp->ip<i_next; q !=r (struct ipasfrag *)fp; q = q->ipf_next) 
if (q->:ip_off > ip->ip„off) 
break; 



/* 

* If there is a preceding segment, it may provide some of 

* our data already. If so, drop the data from the incoming 

* segment. If it provides all of our data, drop us. 
♦/ 

if <q->ipf_prev != (struct ipasfrag *)fp) ( 

i = q->ipf_prev->ip_off + q->ipf_prev->ip_len - ip->ip_off; 
if (i > 0) { 

20 if (i >= ip->ipjen) 

goto dropfrag; 
m_adj (dtom(ip) , i) ; 
ip->ip_off += i; 
ip->ip_len -= i; 

) 

25 ) 
/* 

* While we overlap succeeding segments trim them or, 

* if they are completely covered, dequeue, them. 
V 

while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off 



i = (ip->ip_off + ip->ip_len) - q->ip_off; 
if (i < q->ip_len) ( 

q->ip_len i; 
q->ip_off +» i; 
m^adj (dtomiq) , i); 
55 break; 

) 

q = q->ipf_next; 
nL.freem(dtom(q->ipf_prev) ) ; 
iP-,deq(q->ipf_prev) ; 



40 

insert: 



* stick new segment in its place; 

* check for complete reassembly. 
•/ 

45 ip_enq(ip, q->ipf_prev) ; 

next =0; 

for (q = fp->ipq_next; q != (struct ipasfrag *)fp; q = q->ipf_next) { 
if (q->ip_off != next) 

return (6) ; 
next += q->ip_len; 

) 

50 if (q->ipf _prev-'>ipf_mf f ) 

return (0); 

/* 

* Reassembly is complete; concatenate fragments. 
*/ 

ss 
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q =. fp->ipq_next; 
m = dtom(g) ; 
*t = in->m_next; 
m->m_next = 0; 
._cat{m, t) ; 
q = q->ipf_next; 

while (q != (struct ipasfrag *)fp) { 
t = dtom{q) ; 
q = q->-ipf_next; 

> 

* Create header for new Ip packet by 

* modifying header of first packet; 

* dequeue and discard fragment reassembly header. 

* Make header visible. 
*/ 

ip = fp->ipq_next? 
ip->ip_len = next; 

((struct ip *)ip)->ip_src = fp->ipq_src; 
((struct ip ♦)ip)->ip_dst = fp->ipq_dst; 
remque(fp) ; 

(void) m_free(dtom(fp) ) ; 
m = dtom(ip) ; 

m->rrulen += (ip->ip_hl « 2); 
m->m_data -= (ip->ip_hl « 2); 

/* some debugging cruft by sklower, below, will go away soon */ 
if (m->nuflags & H-PKTHDR) { /* XXX this should be done elsewhere 

register int plen & 0; 

for (t = m; m; in » in->n\_next> 
plen += m->nulenj 

t->m_pkthdr.len = plen; 

) 

return ((struct ip *)ip); 

dropfrag: 

ipstat. ips_fragdropped++; 

R^freem(m); 

return (0); 

> 

/* 

* Free a fragment reassembly header and all 

* associated datagrams. 
*/ 

iP-freef (fp) 

struct ipq *fp; 

( 

register struct ipasfrag *q, *p; 

for (q = fp->ipqL.next; q != (struct ipasfrag *)fp; q = p) { 
p = q->ipf_next; 
ip«<ieq(q); 
n\_freem(dtom(q) ) ; 

> 

remque (fp) ; 

(void) n\_fr€e(dtoro(fp) ) ; 

> 

/* 

* Put an ip fragment on a reassecnbly chain. 

* Like insque, but pointers in middle of structure. 
*/ 

ip_enq{p, prev) 

register struct ipasfrag *p, *prev; 
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( . . 

'p->ipf_prev = prev; 
o->ipf_next = prev->ipf_nexc? 
.)rev->lpf_next->ipf_prev = p; 
prev->ipf_next = p; 

) 

/* 

* To ip_eng as remque is to insgue. 
•/ 

ip_deg(p> 

register struct ipasfrag *p; 

( 

p->ipf_jprev->ipf_next = p->ipf„next; 
p->ipf jiext->ipf_prev = p->ipf_prev; 

} 

/* 

* IP timer processing; 

* if a timer expires on a reassembly 

* queue, discard it. 
V 

ip«slowtimo() 
{ 

register struct ipq *fp; 
int s s splnetO; 

fp = ipq. next; 
if (fp == 0) { 

splx(s) ; 

return; 

) 

while (fp != &ipq) { 

— fp->ipqLttl; 
fp = fp->next; 

if {fp->prev->ipq_ttl == 0). ( 

ipstat • ips.f ragtimeout-i-*-; 
ip_freef (fp->prev) ; 

) 

} 

splx(s) ; 

) 

/♦ 

* Drain off all datagram fragments. 
♦/ 

ip„drain < ) 
{ 

while (ipq. next 1= &ipq) ( 

ipstat- ips_fragdropped++; 
ip_f reef (ipq. next) ; 

) 

} 

extern struct in_ifaddr *ifptoia(); 
struct in.ifaddr *ip_rtaddr(); 

/* 

* Do option processing on a datagram, 

* possibly discarding it if bad options are encountered, 

* or forwarding it if source -routed. 

* Returns 1 if packet has been forwarded/ freed, 

* 0 if the packet should be processed further. 
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V 

ip_diooptions (m) 

struct nbuf *in? 

{ • 

egister struct ip *ip = mtoddn, struct ip *); 
register u_char *cp; 
register struct ip^timestan^ *ipt; 
register struct in^ifaddr *ia; 

int opt, optlen, cnt, off, code, type = ICMP_PARAMPR0B, forward = 0 
struct in^addr *sin; 

n_time ntime; ' 
CP = (u_char *) (ip + 1); 

cnt = (ip->ip_hl « 2) - sizeof (struct ip) ; 
for (; cnt > 0; cnt -= optlen, cp += optlen) { 

opt = Cp(IPOPT_OPTVAL) ? 
if (opt == IPOPT^EOL) 

break; 
if (opt == IPOPT.NOP) 
optlen =1; 

else { 

optlen = cpClP0PT_0LEN3 ; 

if (optlen <= 0 1 1 optlen > cnt) { 

code = &cp[IP0PT_0LEN3 - (u^char *)ip; 

goto bad; 

) 

> 

switch (opt) { 
default: 

break; 

/* 

* Source routing with record. 

* Find interface with current destination address. 

* If none on this machine then drop if strictly routed, 

* or do nothing if loosely routed. 

* Record interface address and bring up next address 

* coirponent. If strictly routed make sure next 

* address is on directly accessible net. 
*/ 

case IPOPT^LSRRs 
case IPOPT_SSRR: 

# i f de f MILKYWAY_BH 

/• Hung Vu Oct 28, 1994 

We simply do not understand source routing 

just return ICMP_UNREACH and SRCFAIL 

*/ 

type = ICMP_UNREACH; 

code = ICMP_UNREACH_SRCPAIL; 

goto bad; 

#endif 

if ((off = cp[IPOPT_OPFSETj) < IPOPT^HINOFF) { 

code = tcpCIPOPT.OFFSET) - (u^char *)ip; 
goto bad; 

) 

ipaddr. sin_addr = ip->ip_dst; 
ia = (struct in_ifaddr *) 

if a^ifwithaddr ( (struct sockaddr *)&ipaddr); 
if (ia == 0) ( 

if (opt == IPOPT_SSRR) { 

type = ICMP.UNREACH; 

code = ICMP_UNREACH_SRCFAIL; 

goto bad; 
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} 

/* 

* Loose routing, and not at next destination 

* yet; nothing to do except forward. 
V 

* break; 

) 

off — ; /* 0 origin */ 

if (off > optlen - sizeof (struct in^addr) ) { 
/* 

* End of source route. ShouM be for us. 
10 */ 

save_rte (CP, ip->ip_src) ; 
break; 

) 

/* 

* locate outgoing interface 

IS V 

bcopy { (caddr_t) (cp + off), (caddr_t) tipaddr .sin_addr, 

sizeof (ipaddr.sin_addr) ) ; 
if (opt == IPOPT_SSRR) ( 
#define INA struct in_ifaddr * 
# define SA struct sockaddr * 

if ((ia = (INA)ifa_ifwithdstaddr((SA)&ipaddr)) == C 
i a = in_i aonneto f ( in_ne to f ( ipaddr , s i n_addr ) ) ; 

} else 

ia s ip_rtaddr( ipaddr. sin^addr) ; 
if (ia == 0) ( 

type = ICMP.UNREACH; 
code = ICMP.UNRBACK.SRCFAIL; 
25 goto bad; 

) 

ip->ip_dst = ipaddr .sin_addr; 

bcopy ( ( caddr_t ) & ( IA_S IN ( i a ) - >s in_addr ) , 

(caddr.t) (cp + off), sizeof (struct in_addr) ) ; 
cp[IP0PT_0FFSET3 += sizeof (struct in_addr) ; 
30 forward =1; 

break; 

case IPOPT_RR: 

if ((off = cp[rPOPT_OPFSET] ) < IPOPT^MINOFF) ( 

code = tcp{IPOPT_OFFSET] - (u^char *)ip; 
35 goto bad; 

/* 

* If no space remains, ignore. 
•/ 

off--; /* 0 origin */ 

if (off > optlen - sizeof (struct in_addr)) 
break; 

bcopy ( (caddr.t) (&ip->ip_dst) , (caddr.t) & ipaddr .sin.addt 
sizeof ( ipaddr . sin_addr ) ) ; 

/* 

* locate outgoing interface; if we're the destination, 

* use the incoming interface (should be same) . 
45 */ 

if.((ia = (INA)ifa_ifwithaddr( (SA)&ipaddr) ) == 0 && 
(ia = ip_rtaddr( ipaddr. sin_addr) ) ==0) < 
type = ICMP.UNREACH; 
code = ICMP.UNREACHJOST; 
goto bad; 

so ) 

bcopy ( (caddr_t)&{lA_SlN(ia) ->sin_addr) , 

(caddr_t) (cp + off), sizeof (struct in_addr)}; 
cp[IPOPT_OFFSET] += sizeof (struct in_addr) ; 
break; 

55 
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case IP0PT_TS: 

code = cp - (u_char *)ip; 
ipt = (struct ip^timestamp *)cp; 
if (ipt->ipt_len < 5) 
^ goto bad; 

if (ipt->ipt_ptr > ipt->ipt^len - sizeof (long)) { 
if (-»-+ipt->ipt_oflw == 0) 
goto bad; 

break ; 

) 

70 sin = (struct iiuaddr *) (cp + ipt->ipt_ptr - 1); 

switch (ipt->ipt_flg) { 

case IPOPT_TS_TSONLY: 
break; 

IS case IPOPT_TS_TSANDADDR: 

if (ipt->ipt_ptr 4 sizeof (n_time) + 

sizeof (struct in_addr) > ipt->ipt_len) 
goto bad; 
ia = ifptoia(ni->mjE)kthdr.rcvif ) ; 
bcopy( (caddr_t) &IA_SIN(ia) ->sin_addr, 

(caddr_t) sin, sizeof (struct in_addr) ) ; 
ipt->iptjtr '+= sizeof (struct in_addr) ; 
break; 



20 



case IPOPT^TS.PRESPEC: 

if (ipt->ipt_ptr + sizeof (n_ time) + 

sizeof (struct in_addr) > ipt->ipt_len) 
goto bad; 

bcopy ( (caddr.t) sin, (caddr.t ) fripaddr . sin.addr , 

sizeof (struct ii\_addr) ) ; 
if (ifa_ifwithaddr((SA)&ipaddr) == 0) 
continue; 

ipt->ipt_ptr += sizeof (struct in_addr) ; 
30 break; 

default; 

goto bad; 

} 

ntime = iptimeO ; 

35 bcopy ( (caddr_t) fcntime, (caddr_t)cp + ipt->ipt_ptr - 1, 

sizeof (n_time) ) ; 
ipt-'>ipt^tr 4-s sizeof (n^time) ; 

) 

} 

if (forward) ( 

if (ipforward_srcrt == 0) { 
type = ICMP.UNREACH; 
code = ICMP.UNRBACH.SRCFAIL; 
goto bad; 

) 

ip_forward(m, 1); 
return (1); 

^ ) else 

return (0>; 

bad: 

ictnp.error(m, type, code); 
return (1) ; 

) 

so 

/* 

* Given address of next destination (final or next hop) , 

* return internet address info of interface to be used to get there. 
*/ 

55 
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struct in_ifaddr. * 
ip_rtaddr (dst) 

struct in_addr dst; 

{ 

agister struct sockaddr_in *sin; 

sin = (struct sockaddr^in *) &ipforward_rt.ro_dst; 

if (ipforward_rt.ro„rt == 0 1 1 dst.s_addr sin->siiuacadr .s^addr) 
if (ipforward_rt.ro_rt) < 

RTFREE(ipforward_rt.ro„rt) ; 
ipf orward_rt . ro^rt = 0; 

) 

sin->sixufamily = AF.INET; 
sin->sin_len = sizeof (*sin) ; 
sin->siiuaddr = dst; 

rtalloct&ipforwardLrt) ; 

if (ipforward_rt.ro_rt == 0} 

return ((struct in_ifaddr *)0); 
return ((struct in_ifaddr *) ipforwardLrt .ro_rt->rt_ifa) ; 

) 

/* 

♦ Save incoming source route for use in replies, 

* to be picked up later by ip_srcroute if the receiver is interested. 
*/ 

save_rte (option , dst) 

u_char *option; 
struct in^addr dst; 

unsigned olen; 

Glen = option ( I POPT.OUSN] ; 
«ifdef DEBUG 

if (ipprintfs) 

printf Csave^rte: olen %d\n\ olen); 



»endif 



if (olen > sizeof (ip^srcrt) - (1 + sizeof (dst) ) ) 
return; 

bcopy( (caddr_t) option, (caddr_t) ip_srcrt. srcopt, olen) ; 
ip^nhops = (olen - IPOPT^OFFSET - 1) / sizeof (struct in.addr); 
iplsrcrt.dst = dst; 



* Retrieve incoming source route for use in replies, 

* in the same form used by setsockopt. 

* The first hop is placed before the options, will be removed later. 
*/ • 

struct ndauf * 
ip_arcroute() 

register struct in^addr *p, *Q; 
register struct robuf *m; 

if (ip_nhops == 0) 

return ((struct robuf *)0); 
m = m_get(M_DONTWAIT, MT_SOOPTS); 
if (m == 0) 

return ((struct ihbuf *)0); 

#define 0PTSI2 (sizeof (ip_srcrt. nop) + sizeof (ip.srcrt. srcopt) ) 

/* length is (nhops+1) *sizeof (addr) + sizeof (nop + srcrt header) * 
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20 



25 



ni->ro_l€n = ipjihops * sizeof (struct in_addr) + sizeof (struct in.addr) + 
OPTSIZ; 

c #ifdef DEBUG 

if (ipprintfs) ^ , . 

printf ("ip.srcroute: nhops %d mien %d", ip_nhops. m->m_ien); 

ttendif 

/* 

* First save first hop for return route 

10 */ 

p s: fcip_srcrt. route tip.nhops - U ; ' 
*(mtod(m, struct in_addr *) ) « *p — ; 
#ifdef DEBUG 

if (ipprintfs) ^ 
printfC hops %lx». ntohl(mtod(m, struct in_addr *) ->s_addr) ) ; 

75 #endif 

/* 

* Copy option fields and padding (nop) to inbuf. 
*/ 

ip^srcrt.nop = IPOPT_NOP; 

ip_srcrt.srcopt [IPOPT_0FFSET] = IPOPTJIINOFF; 
bcopy( (caddr_t)&ip_srcrt.nop, 

mtod(in, caddr^t) + sizeof (struct in^addr) , OPTSIZ); 
q = (struct in„addr *) (mtoddn, caddr_t) + 
sizeof (struct iz^addr) OPTSIZ); 
#undef OPTSIZ 
/* 

* Record return path as an IP source route, 

* reversing the path (pointers are now aligned) . 
*/ 

while (p >= ip.srcrt • route) { 
#ifdef DEBUG 

if (ipprintfs) 

30 printf(" %lx-, ntohl(Q->s_addr) ) ; 

lendif 

*q++ = *p — ; 

} 

/* 

* Last hop goes to final destination. 

35 V 

•q = ip_srcrt.dst; 
#ifdef DEBUG 

if (ipprintfs) 

printf(" %lx\n", ntohl (q->s_addr) ) ; 

#endif 

40 return (m) ; 

/* 

* Strip out IP options, at higher 

* level protocol in the kernel. 

* Second argument is buffer to which options 

* will be moved, and return value is their length. 

* XXX should be deleted; last arg currently ignored, 
*/ 

ip_stripoptions (in, mopt) 

register struct mbuf *m; 
struct mbuf *mopt; 



so 



{ 



register int i; 
struct ip *ip = mtoddn, struct ip *); 
register caddr_t opts; 
int olen; 

55 olen = (ip->ip„hl«2) - sizeof (struct ip) ; 
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> 



opts = {caddr_t) (ip + 1); 

i = m->m_len - (sizeof (struct ip) + olen) ; 
bcopyCopts + olerii opts, (unsigned) i> ; 
m->nulen -= olen; 
If (m->ro_flags & M^PKTHDR) 

m->m_pkthdr . len -= olen; 
ip->ip_hl = sizeof (struct ip) » 2; 



u_char inetctlernnap[PRC_NCMDSJ = ( 

0, 0, 0, 0, ' 

0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH , 

EHOSTUNREACH, EHOSTUNREACH . ECONNREFUSED , ECONNREFUSED. 

EMSGSIZB, EHOSTUNRE/iCH, 0, 0, 

0, 0, 0, 0, 



>; 



ENOPROTOOPT 



Forward a pac)cet. If some error occurs return the sender 

* an icmp pac)tet. Note we can't always generate a meaningful 

* icmp message because icmp doesn't have a large enough repertoire 

* of codes and types. 
* 

* If not forwarding, just drop the paclcet. This could be confusing 

* if ipfoin^iTarding was zero but some routing protocol was advancing 

* us as a gateway to somewhere « However, we must let the routing 

* protocol deal with that. 
* 

* The srcrt parameter indicates whether the packet is being forwarded 

* via a source route. 
♦/ 

void 

ip_forward(m. srcrt) 

struct nibuf *m; 
int srcrt; 

{ 

register struct ip *ip = mtod{m, struct ip *); 

register struct soc)caddr_in *sin; 

register struct rtentry *rt; 

int error, type = 0, code; 

struct mbuf *mcopy; 

struct in.addr dest; 

dest.s_addr s 0; 
#ifdef DEBUG 

if (ic^rintfs) 

printf ("forward: src %x dst %x ttl %x\n" , ip->ip_src, 
ip->ip_dst, ip->ip_ttl) ; 



#endif 



if (m->m_flags & H_BCAST || in_canforward(ip->ip_dst) 0) { 
ipstat. ips_cantf orward++; 
Rt.freem(m) ; 
ret\irn; 

) 

HTONS(ip->ip_id) ; 

if (ip->ip„ttl <= IPTTLDEC) ( 

icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS , dest); 

return; 

} 

ip->ip-.ttl -= IPTTLDEC; 

sin = (struct soc)caddr_in * )&ipforward_rt . ro_dst; 
if ((rt = ipforward_rt.ro_rt) == 0 | | 

ip->ip_dst.s_addr != sin->sin_addr , s.addr) { 
if (ipforward_rt.ro_rt) { 
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RTFREE ( ipf orward^rt . ro_rt ) ; 
ipf orward_rt . ro_r t = 0 ; 

) 

sin->sin_family = AF_INET; 
sin->sin_len = sizeof ( *sin) ; 
* sin->sin_addr = ip->ip_dst; 

rtalloc (&ipf orward^rt) ; 

if (ipforward__rt.ro_rt ==0) { 

icmp_error(m, ICMP^UNREACH/ ICMP_UNREACH_HOST, dest) ; 

return; 

10 ) 

rt = ipforwar<3Lrt,ro_rt; 

) 

/* 

* Save at most 64 bytes o£ the packet in case 

7f * we need to generate an ICMP message to the src. 

*/ 

mcopy = nL-Copy(m, 0, imin( (int) ip->ipjen, 64)); 

tifdef GATEWAY 

ip_ifmatrixlrt->rt_ifp->if_index + 
2^ if_index * m->irLP)cthdr ,rcvif->if_index] ++; 

#endif 

/* 

* If forwarding packet using same interface that it came in on, 

* perhaps should send a redirect to sender to shortcut a hop. 

* Only send redirect if source is sending directly to us, 

* and if packet was not source routed (or has any options). 

* Also, don't send redirect if forwarding using a default route 

* or a route modified by a redirect. 
*/ 

#define satosin(sa) ((struct sockaddr^in *)(sa)) 

if (rt->rt_ifp == m->m_pkthdr .rcvif && 

(rt->rt_f lags & (RTF_DyNAMIC|RTF_MODIFIED) ) == 0 
30 satosin(rt_k€y(rt) )->sin_addr.s_addr != 0 && 

ipsendredirects && isrcrt) { 
struct in_ifaddr *ia; 
u_long src = ntohl (ip->ip_src .s_addr) ; 
u_long dst = ntohl(ip->ip_dst.s_addr) ; 

35 if ( (la = ifptoia (m->nLPkthdr, rcvif) ) && 

(src & ia->ia_subnetmask) == ia->ia_subnet) { 
if (rt->rt_flags & RTF^GATEWAY) 

dest = satosin(rt->rt_gateway)->sin_addr; 

else 

dest = ip->ip_dst; 

/♦ 

* If the destination is reached by a route to host, 

* is on a subnet of a local net, or is directly 

* on the attached net (!), use host redirect. 

* (We may be the correct first hop for other subnets.) 
•/ 

#define RTA(rt) ((struct in_ifaddr *) (rt->rt_if a) ) 
^ type = ICMP_REDIRECT; 

if ((rt->rt_flags & RTF_HOST) || 

(rt->rt_f lags & RTF.GATEWAY) == 0) 
code = ICMP_REDIRECT_HOST; 
else if (RTA(rt) ->ia_subnetmask != RTA(rt) ->ia_netmask && 
(dst & RTA(rt) ->ia_netmask) == RTA(rt) ->ia_net) 
so code = ICMP_REDIRECT_HOST; 

else 

code = ICMP_REDIRECT_NET; 
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#i£def DEBUG 



if (ipprintfs) 



55 
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printf {-redirect {%d) to %x\n*, code, dest . s_addr) ; 

«endif 

) 

> 

s ( 

#ifdef DIRECTED_BROADCAST 

error = ip_output(m, (struct iribuf *)0r &ipforwar4_rt, 
IP_F0RWARD1NG | IP_ALLOWBROADCAST) ; 

ieXse 

error = ip_output(m, (struct wbuf *)0. &ipforward_rt , IP_FORWARDING) ; 

JO #endif 

if (error) 

ipstat . ips_cant£orward++; 
else ( 

ipstat. ips_forward++; 
if (type) 

ipstat. ips_redirectsent-t-+; 

else { 

if (mcopy) 

m_f reem(mcopy) ; 

return; 

} 

if (mcopy NULL) 

return; 
switch (error) ( 

case 0: /* forwarded, but need redirect */ 

/* type, code set above */ 
25 break; 

case ENETUNREACH: /* Shouldn't happen, chec)ced above */ 

case EHOSTONREACH: 

case ENBTDOVn^: 

case EHOSTDOWN: 

30 default : 

type = ICMP_UNREACH; 
code = ICMP_UNREACH„HOST; 
brea)c; 
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45 



case EMSGSIZE: 

type = ICMP_UNREACH; 

code = ICMP_UNREACH_NEEDFRAG; 

ipstat . ips_cantf rag-*-* ; 

break; 

case ENOBUFS: 

type = ICMP.SOURCBQUENCH; 

code « 0; 

break; 

> 

icirp.error (mcopy, type, code, dest); 



50 
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BSOI SId: in_pcb.c,v 1.1. 1,1. 4.1 1994/11/16 15:11:14 mcr Exp $ 
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* Copy 'ght (c) 1982, 1986, 1991 Regents of the University of California, 

* All .ghts reserved. 
• 

* Redistribution and use in source and binary forms, with or without 

* modification, are permitted provided that the following conditions 

* are met: 

* 1. Redistributions of source code must retain the above copyright 

* notice, this list of conditions and the following disclaimer. 

* 2. Redistributions in binary form must reproduce the above copyright 

* notice, this list of conditions and the following disclaimer in the 

* documentation and/or other materials provided with the distribution. 

* 3. All advertising materials mentioning features or use of this software 

* must display the following acknowledgement: 

* This product includes software developed by the University of 

* California, Berkeley and its contributors. 

* 4. Neither the name of the University nor the names of its contributors 

» may be used to endorse or promote products derived from this software 

* without specific prior written permission. 
* 

* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ' *AS IS' ' AND 

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 

* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 

* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 

* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 

* SUCH DAMAGE. 



e(#)in_pcb.c 7.14 (Berkeley) 4/20/91 
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# include "param.h" 
# include "systm.h" 
#include •malloc.h* 
#include "mbuf.h" 
# include "proc.h" 
# include "protosw.h* 
# include "socket.h" 
#include "socketvar .h" 
# include -ioctl.h" 
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# include 
tinclude 

# include 
# include 
# include 
« include 
# include 
# include 



-. ./net/if .h- 
. /net/route. h" 

-in.h- 

■in_syatm.h" 

"ip.h" 

"Injpcb.h* 

*in_var.h" 

•ip_var.h* 
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fdefine any_port 
#define 0PENWIN_P0RT 
#def ine XWINDOW_PORT 
#define SYSLOGD^PORT 



htons( 59813) 
htons (2000) 
htons (6000) 
htons (514) 
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struct in.addr zeroin^addr; 
struct inpcb • 
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in_pcblokup(head, faddr, fport, laddr, Iport, flags) 
struct inpcb *hGad; 
struct in_addr faddr, laddr; 
ushort fport, Iport; 
.nt flags ; 



{ 



register struct inpcb *inp, *inatch = 0; 
int matchwild = 3, wildcard; 



70 



IS 



for (inp = head->inp_next; inp !« head; inp = inp->inp_next) { 
if (inp->inp_lport != Iport) 

continue; 
wildcard = 0; 

if (inp->inp_laddr,s_addr != INADDR^ANY) { 
if (laddr. s^addr == INADDR^ANY) 
wildcards 

else if (inp->inp_laddr.s.addr != laddr. s_addr) 
continue; 
y else ( 

if ( laddr. s_addr ! = . INADDR^ANY) 
wildcard-^i-; 

> 

20 If (inp->inp_faddr.s_addr != INADDR^ANY) { 

if (faddr.s^addr INADDR^ANY) - 
wildcard++; 

else if <inp->inp_faddr .s.addr != faddr.s_addr || 
inp->inp_fport != fport) 
continue; 

> else { 

if (faddr.s_addr 1= INADDIU^) 
wildcard-*-*-; 

} 

if (wildcard && (flags & INPLOOKUP_WILDCARD) 0) 

continue; 
if (wildcard < matchwild) { 
match s inp; 
matchwild - wildcard; 
if (matchwild ==0) 
break; 

} 

35 > 

retiarn (match) ; 

) 

in.j>cballoc(so, head) 

struct socket *so; 
struct inpcb *head; 



2S 



30 



40 



{ 



struct nibuf *m; 

register struct inpcb *inp; 



m = nL^etclr(M^DONTOAlT, MT„PCB); 
if (m == NULL) 

return (ENOBUFS) ; 
inp = mtod(m, struct inpcb *) ; 
inp->inp_head = head; 
inp->inp_socket = so; 
insque ( inp , head) ; 
so->so_pcb = (caddr^t) inp; 
return (0); 

) 

in_pcbbind ( inp , nam) 

register struct inpcb *inp; 
struct mbuf ♦nam; 

55 { 
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register struct socket *so = inp->inp_soclcet; 
register struct inpcb *head = inp->inp_head; 
register struct sockaddr_in *sin; 
•=?truct proc *p = curproc; /* XXX */ 

._short Iport = 0; 
int wild = 0; 

if (in.ifaddr == 0) 

return (EADDRNOTAVAIL) ; 
if (inp->inp_lport || inp->inp_laddr.s_addr != INADDR.J^) 

return (EINVAL) ; 

if ((SO-->SO_Options & SO_REUSEADDR) == 0 && 

((so->so_proto->pr_flags & PR^CONNRfiQUIRED) == 0 | | 
(so->so.options & SO^ACCEPTCONN) == 0)) 
. wild = INPLOOKUP^WILDCARD; 

if (nam == 0) 

goto noname; 
sin = mtod(nam, struct sockaddr_in *) ; 
if (nain->nulen != sizeof (*sin)) 

return (einval) ; 
if (sin->sin_addr.s_addr != INADDIL-ANY) { 

int tport = sin->sin^ort; 

sin->sin_port « 0; /* yech... */ 

if (ifa.ifwithaddr( (struct sockaddr *)sin) ~ 0) 

return (EADDRNOTAVAIL); 
sin->sin_port s tport; 

} 

Iport = sin->sin_port; 
if (Iport) ( 

u_short aport = ntohs ( Iport ) ; 

/* GROSS */ 

if (aport < IPPORT^RBSBRVED && suser(p->p_ucred, tp->p_acf lag) ) 

return (EACCES); 
i f ( in_pcblokup (head , 

zeroin_addr, 0, sin->sin_addr , Iport, wild)) 

return (EADDRINUSE) ; 

) 

inp->inp_laddr » sin->sin_addr; 



noname : 



if (Iport == 0) 
do ( 



#ifdef MILKYWAY^BH 
*endif 



if (head->inp_lport++ < IPPORT.RESERVED | | 
head->inp Iport > IPPORT.USERRESERVED) 
head->inp_lport « IPPORT^ESERVED; 
Iport = htons(head->inp_lport) ; 

if (Iport == ANY.PORT) lport++; 



} while (in__pcblokup(head, 

zeroin_addr, 0, inp->inp_laddr , Iport, wild)); 
inp->inp_ Iport = Iport; 
return (0); 



* Connect from a socket to a specified address. 

* Both address and port must be specified in argument sin. 

* If don't have a local address for this socket yet, 

* then pick one. 

in_pcbconnec t ( inp , nam) 

register struct inpcb ♦inp; 
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struct inbuf *nam; 

{ 

struct in_ifaddr *ia; 
"truct sockaddr_in *ifaddr; 

agister struct sockaddr_in *sin = mtod(nam, struct soclcaddr_in *); 

if (nain->xiv_len != sizeof (*sin)) 

return (EINVAL) ; 
if {sin->sin.family != AP_INBT) 

return (EAFNOSUPPORT) ; 
if (sin->sin_i>ort == 0) * 

return ( EADDRNOTAVAIL) ; 
if (in.ifaddr) { 

/* 

* If the destination address is INADDR^any, 

* use the primary local address. 

* If the supplied address is INADDR.BROADCAST, 

* and the primary interface supports broadcast, 

* choose the broadcast address for that interface. 
•/ 

tdefine satosin(sa) ((struct sockaddr.in *)(sa)) 

if (sin->sin_addr.s_addr =« INADDR^JU^Y) 

sin->sin_addr = IA^SIN( in^ifaddr) ->sin_addr; 
else if (sin->sin_addr . s_addr (u_long) INADDR^BROADCAST && 
(in_ifaddr->ia_ifp->if_flags & IFF^BROADCAST) ) 
sin->sin_addr = satosin(&in_ifaddr->ia_broadaddr) ->sin_addr; 

} 

if (inp->inp_laddr.s_addr == INADDR^JOW) ( 
register struct route *ro; 
struct ifnet ♦ifp; 

ia = (struct in_ifaddr *)0; 
/* 

* If route is known or can be allocated now« 

* our src addr is taken from the i/f, else punt. 
*/ 

ro = fiiinp->inp_route; 
if (ro->ro_rt && 

(satosin (&ro->ro_dst) ->sin_addr . s_addr ! = 

s in->sin_addr . s_addr | | 
inp->inp_socket->so_options & SO_DONTROUTE) ) { 
RTFREE(ro->ro_rt) ; 
ro->ro_rt = (struct rtentry *)0; 

> 

if ((inp->inp_socket->so_options & SO.DONTROUTE) == 0 && /*xxx*/ 
(ro->ro_rt (struct rtentry *)0 || 
ro->ro_rt->rt_ifp == (struct ifnet *)0)) ( 
/* No route yet, so try to acquire one */ 
ro->ro„dst.sa_family = af_ineT; 
ro->ro_dst. sa_Llen = sizeof (struct sockaddr_in) ; 
((struct sockaddr_in *) &ro->ro_dst) ->sin„addr = 

8in->sin.addr; 
rtalloc(ro) ; 

) 

/* 

* If we found a route, use the address 

* corresponding to the outgoing interface 

* unless it is the loopback (in case a route 

* to our address on another net goes to loopback) . 
*/ 

if {ro->ro_rt && (ifp = ro->ro_rt->rt_ifp) && 
(ifp->if_flags & IFF_LOOPBACK) == 0 && 
(ia = (struct in_ifaddr ♦) ro->ro_rt->rt_if a) == 0) 
for (ia = in_ifaddr; ia; ia = ia->ia_next) 
if (ia->ia_ifp == ifp) 
break ; 
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If (ia 



== 0) { 
int fport 



sin->sin_port; 
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sin->sin_port =0? 

ia = (struct in_ifaddr •) 

i£a_ifwithdstaddr( (struct sockaddr *)sin); 
sin->sin_port = fport; 
if (ia == 0) 

ia = in_iaonnetof (in_netof (sin->sin_addr) ) ; 
if (ia == 0) 

ia = in_ifaddr; ' 
if (ia == 0) 

return (EADDRNOTAVAIL) ; 



) 



tifdef MULTICAST 



«endif 



* If the destination address is multicast and an outgoing 

* interface has been set as a multicast option, use the 

* address of that interface as our source address. 
*/ 

if (IN_MULTICAST(ntohl(sin->sin_addr.s_addr) ) && 
inp->inp_moptions != NULL) { 
struct ip_moptions *imo; 
struct ifnet *ifp; 

imo = inp->inp_inoptions; 
if (imo->imo_multicast_ifp != NULL) ( 
ifp B imo->imo.multicast_ifp; 
for (ia = ia-ifaddr; ia; ia .= ia->ia_next) 
if (ia->ia_ifp ~ ifp) 
break; 

if (ia »B 0) 

return (EADDRNOTAVAIL); 



> 



) 



) 



ifaddr = (struct sockaddr_in ♦) &ia->ia_addr; 



if ( in_pcblokup (inp->inp_head, 
sin->sin_addr, 
sin->sin_port , 

inp->inp_laddr . s_addr ? inp->inp_laddr 
inp-> inp_lpor t , 
0)) 

return (EADDRINUSE) ; 
if (inp->inp_laddr.s_addr == INADDIL^NY) ( 
if (inp->inp_lport == 0) 

(void) in_pcbbind(inp, (struct mbuf 
inp->inp_laddr s if addr->sin_addr ; 

} 

inp->inp_faddr = sin->sin_addr; 
inp->inp_fport = sin->sinjort; 
return (0); 



i f addr- > s in_;addr , 



MO); 



45 injpcbd is connect ( inp) 

struct inpcb *inp; 



50 



) 



inp->inp_faddr.s_addr = INADDR^Y; 
inp->inp_£port = 0; 

if (inp->inp_socket->so_state & SS^NOFDREP) 
in_pcbdet ach ( inp ) ; 



injcbdetach ( inp) 
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struct inpcb *inp; 

struct socket *so = inp->inp_soc)cet; 

.o->so_pcb = 0; 
sofree(so) ; 
if (inp->inp_ opt ions) 

(void)trufree(inp->inp_options) ; 
if (inp->inp_route.ro_rt) 

rtf ree ( inp->inp_route , ro_rt ) ; 

#ifdef MULTICAST 

i f ( inp -> inp_niopt ions ) 

ip_f reemoptions ( inp ->inp_mopt ions) ; 

»endif 

reingue(inp) ; 

(void) nuf ree (dtom( inp) } ; 

) 

in.set80c)caddr (inp, nam) 

register struct inpcb *inp; 
struct mbuf *nam; 

register struct sockaddr_in *sin; 

nain->iiulen = sizeof (*sin); 
sin = mtod(naiii, struct sockaddr_in *) ; 
bzero( (caddr_t) sin, sizeof (*sin))} 
sin->sin_family = AF_INET; 
sin->sin_len = sizeof (*sin) ; 
sin->siivjport « inp^>inp_lport; 
sin->sin_addr = inp->inp_laddr; 

) 

in^setpeeraddr(inp, nam) 

struct inpcb ♦inp; 
struct xnbuf *nam; 

( 

register struct sockaddr_in ♦sin; 

nam->nulen = sizeof (♦sin); 
sin = mtod(nam, struct sockaddr_in *); 
bzero((caddr_t)sin, sizeof (♦sin))? 
sin->sin_family = AF_INET; 
sin->sin_len = sizeof (*sin) ; 
sin->sinjort = inp ->inp„f port; 
sin->sir3L,addr = inp->inp_faddr; 

> 

/♦ 

♦ Pass some notification to all connections of a protocol 

♦ associated with address dst. The local address and/or port nuxnbers 

♦ may be specified to limit the search. The "usual action- will be 

♦ taken, depending on the ctlinput cmd. The caller must filter any 

♦ cmds that are uninteresting (e.g., no error in the map) . 

♦ Call the protocol specific routine (if any) to report 

♦ any errors for each matching socket. 
* 

♦ Must be called at spinet. 
♦/ 

in_pcbnotify(head, dst, fport, laddr, Iport, cmd, notify) 
struct inpcb ♦head; 
struct sockaddr *dst; 
u_short fport, Iport; 
struct in.addr laddr; 
int cmd, (♦notify) (); 

( 
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register struct inpcb *inp, *oinp; 
struct iruaddr faddr; 
*int err no; 
rnt in_rtchange ( ) ; 
jxtern u_char inetctlerrmap [ ] ; 

if ( (unsigned) cmd > PRC_NCMDS || dst->sa_fainily 1= AF.INET) 
return? 

faddr = ((struct sockaddr_in *)dst) ->sin_addr; 
if (faddr. s^addr == INADDR^ANY) 
return; 

/* 

* Redirects go to all references to the destination, 

* and use in_rtchange to invalidate the route cache. 

* Dead host indications: notify all references to the destination. 

* Otherwise, if we have knowledge of the local port and address, 

* deliver only to that socket. 
*/ 

if (PRC_IS_REDIRECrr(cmd) | | CItid == PRC_HOSTDEAD) { 
fport = 0; 
Iport =0; 
laddr.s_addr = 0; 
if (cmd != PRC.HOSTDEAD) 

notify « in^rtchange; 

) 

errno = inetctlerrmap [cmd] ; 

for (inp = head->inp_next; inp 1= head;) ( 

if (inp->inp_faddr.s_addr != faddr. s_addr || 

inp->inp_socket 0 | | 

(Iport && inp->inp_lport Iport) || 

(laddr.s.addr && inp->inp_laddr.s_addr != laddr.s_addr) || 
(fport && inp->inp_fport != fport)) { 

inp = inp->inp_next; 

continue; 

) 

oinp = inp; 

inp = inp->inp_?iext; 

if (notify) 

(♦notify) (oinp, errno) ; 

) 

) 

/* 

* Check for alternatives when higher level con^lains 

* about service problems. For now, invalidate cached 

* routing information. If the route was created dynamically 

* (by a redirect), time to try a default gateway again. 
*/ 

inclosing (inp) 

struct inpcb *inp; 

{ 

register struct rtentry *rt; 

if .((rt = inp->inp„route.ro_rt) ) ( 

r t_mi ssmsg ( rtm_LOS ING , & inp - > inp_rou te . r o_ds t , 

rt->rt_gateway, (struct sockaddr *) rt_mask(rt) , 
(struct sockaddr *)0, rt->rt_f lags , 0); 
if (rt->rt_flags & RTF_DYNAMIC) 

(void) rtrequest(RTM_DELETE, rt_key(rt) , 

rt->rt_gateway, rt_mask(rt) , rt->rt„flags, 
(struct rtentry **)0); 
inp->inp_route. ro_rt = 0; 
rtfree(rt) ; 
/* 

* A new route can be allocated 
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♦ the next time output is attempted. 
*/ 

) 

^ > 

* After a routing change, flush old routing 

* and allocate a (hopefully) better one. 
*/ 

10 in_rtchange ( inp) 

register struct inpcb *inp; 



IS 
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30 



{ 



if Unp->inp_route.ro_rt) { 

rtfree(inp->inp_route.ro_rt) ; 
inp->inp_route.ro_rt = 0; 
/* 

* A new route can be allocated the next time 

♦ output is atteni>ted. 
*/ 

) 



struct inpcb * 

injcblookup(head, faddr, fport, laddr, Iport, flags) 
struct inpcb ♦head; 
struct in_addr faddr, laddr; 
u^short fport, Iport; 
25 int flags; 



register struct inpcb *inp, ♦match « 0; 
int matchwild = 3, wildcard; 



for (inp = head->inp_next; inp !« head; inp = inp->inp_next) { 
if (inp->inp_lport != Iport) 
#ifdef MILKYWAYJH . ,, ,, 

if ({inp->inp_lport != ANY^PORT) || ( laddr . s_addr == INA 

DDR^LOOPBACK) ) 
#endif 

continue; 

35 *^ .® if ( ((Iport == OPENWIN^PORT) || (Iport == XWINDOW_PORT) || (Ipo 

rt =s SYSLOGD.PORT) ) && ( laddr . s_addr != INADDR.LOOPBACK) ) continue; 
#endif 

wildcard = 0; 

if (inp->inp_laddr.s_addr != INADDR^ANY) { 
if (laddr. s_addr == INADDR^ANY) 
4Q wildcard**; 

else if (inp->inp.laddr.s.addr != laddr . s_addr) 
continue; 

) else ( 

if (laddr. s^addr != INADDR^ANY) 
wildcard**; 

^ if (inp->inp_faddr.s_addr 1= INADDR^ANY) ( 

if (faddr.s^addr INADDR_ANY) 
wildcard**; 

else if (inp->inp„faddr.s„addr != faddr.s_addr || 
inp->inp_fport != fport) 
continue; 

so } else ( 

if {faddr.s_addr != INADDR_any) 
wildcard**; 

if (wildcard && (flags & INPLOOKUP^WILDCARD) ==0) 
continue; 

55 
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if (wildcard < matchwild) { 
match = inp; 
matchwild s wildcard; 
if (matchwild == 0) 
break; 

} 

} 

return (match); 

) • 
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BSDI ip.icmp.cv 1.1.1.1.4.1 1994/11/16 15:11:15 mcr Esqp $ *> 
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Copyright (c) 1982, 1986, 1989, 1993 

egents of the University of California. 



All rights reserved. 



Redistribution and use in source and binary forms, with or without 
modification, are permitted provided that the following conditions 
are met: 

1. Redistributions of source code must retain the above copyright 
notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright 
notice, this list of conditions and the following disclaimer in the 
documentation and /or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software 
must display the following acknowledgement: 

This product includes software developed by the University of 
California, Berkeley and its contributors. 

4. Neither the name of the University nor the names of Its contributors 
may be used to endorse or promote products derived from this software 
without specific prior written pezmlsslon. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ''AS IS" AND 
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITOESS FOR A PARTICULAR PURPOSE 
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
OR SERVICES; LOSS OP USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
SUCH DAMAGE. 

0<#)ip_lcmp.c 7.15 (Berkeley) 4/20/91 
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# include 
# include 
# Include 
# include 
# Include 
# include 
# Include 
# include 

# Include 
# include 



•param.h" 
■systm.h" 
■malloch" 
"mbuf .h- 
■protosw.h" 
■socket, h" 
"time.h- 
"kernel.h" 

./net /route. h" 
./net/if -h" 



45 



# include "in.h" 
# include "in^systm.h" 
♦include "in_var.h" 
#include "ip.h" 
♦include -ip^icnp.h" 
♦include "Icmp^var.h" 



so 



ICMP routines: error generation, receive packet processing, and 
routines to turnaround packets back to the originator, and 
host table maintenance routines. 



#ifdef ICMPPRINTFS 
int icmpprintfs 
#endif 



0; 



ss 



extern struct protosw inetsw[3; 
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/* 

* Generate an error packet of type error 
^ * in r<^sponse to bad packet ip. 

V 

/♦VARARGS3*/ 

icmp^error (n, type, code, dest) 
struct mbuf *n; 
int type, code; 
^0 struct in_addr dest; 

^ register struct ip *oip = mtod(n, struct ip *) , *nip; 

register unsigned oiplen = oip->ip_hl « 2; 
register struct icmp ^icp; 
register struct mbuf *m; 
IS unsigned icmplen; 

tifdef ICMPPRINTFS 

if (icmpprintfs) ^ ^ 

printf ("icmp_error(%x, %d, %d)\n-, oip, type, code>; 

#endif 

20 /* Hung Vu Oct 28, 1994 

Just ignore ICMP REDIRECT 

*/ 

#ifdef MILKYWAYJH 

if (type == ICMP_REDIRECT) goto freeit; 
else icmpstat,icps_error++; 

25 #else 

if (type != ICMP^REDIRECT) 

icxnps tat . icps_error ; 

»endif 

/* 

* Don't send error if not the first fragment of message. 

* Don't error if the old packet protocol was ICMP 

* error message^ only known informational types. 
*/ 

if (oip->ip^off &- (IP_MF|IP_DF)) 
goto freeit; 

_ if (oip->ip_p == IPPROTO_ICMP && type != ICMP^REDIRECT && 

n->iTulen >= oiplen + ICMP^MINLEN && 

!ICMP_INFOTYPE( ( (struct icmp *) ( {caddr_t)oip + oiplen) ) ->icmp_ type) ) 
icirqps tat • icps_oldicmp++ ; 
goto freeit; 

/* Don't send error in response to a imilticast or broadcast packet */ 
if (n->nu.flags & (M^MCAST | M_BCAST)) 
goto freeit; 

/* 

* First, formulate icmp message 
*/ 

m = nLgethdr(H.DONTWAIT, MT_HEADER) ; 
^ if (m == NULL) 

goto freeit; 
icmplen = oiplen min(8, oip->ip_len) ; 
m->m_len = icmplen + ICMP_MINLEN; 
MH_ALIGN(m, m->nulen) ; 
icp = mtod(m, struct icmp *); 
if ((u_int)type > ICMP.MAXTYPE) 

panic ( " icmp_error " ) ; 
icmpstat . icps.outhist [type] ++; 
icp->icmp_type = type; 
if (type == ICMP^REDIRECT) 

icp->icmp_gwaddr = dest; 

55 else 

icp->icn©_void = 0; 
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if. (type == ICMP_PARAMPROB) { 
icp->icinp_pptr = code; 
code = 0; 

cp~>icnip_code = code; 
bcopy( (caddr_t) oip, (caddr_t) ticp->icmp_ip, icmplen) ; 
nip = &icp->icmp_ip; 

nip->ip_len = htons ( (u_short) (nip->ip_len + oiplen)); 

10 /* 

* Now, copy old ip header (without options) ' 

* in front of icmp message. 
V 

if (m->nudata - sizeof (struct ip) < m->m_p)ctdat) 
panic ("icinp len"); 
*5 m->iiudata -= sizeof (struct ip) ; 

in->nul€n += sizeof (struct ip) ; 

m->m_p)cthdr . len = m->it^len; 

m->irupJtthdr.rcvif = n->irLP)cthdr .rcvif ; 

nip = xntod(m, struct ip *); 

bcopy( (caddr_t)oip, (caddr_t)nip, oiplen); 
20 nip->ip_len = m->ip_len; 

nip->ip_hl = sizeof (struct ip) » 2; 

nip->ipj = IPPROTO_ICMP? 

icnqp^ref lect(m) ; 

freeit: 
2$ m_f reem(n) ; 

} 

static struct soc)cproto icmproto = ( AF_INET, IPPROTO_ICMP ) ; 
static struct soc)caddr_in icmpsrc = { sizeof (struct soc)caddr_in) , AF_INET }; 
static struct sockaddr_in icmpdst = < sizeof (struct soc)caddr_in) , AF_INET }; 
30 static struct soc)caddr_in icmpgw = ( sizeof (struct soc)caddr_in) , AF_INET ); 
struct soclcaddr_in icinpmask = { 8« 0 ); 
struct in^ifaddr ♦ifptoiaO; 

/* 



55 



40 



45 



SO 



55 



* Process a received ICMP message* 
*/ 

icmp_input (m, hlen) 

register struct inbuf ♦m; 

int hlen; 

( 

register struct icmp *icp; 

register struct ip *ip = mtod(m, struct ip *); 

int icmplen = ip->ip_len; 

register int i; 

struct in_ifaddr *ia; 

int (*ctlfunc)(), code; 

extern u.char ip_^rotox(); 

extern struct in^addr in.jnakeaddr ( ) ; 

/• 

* Locate icmp structure in mbuf , and checlc 

* that not corrupted and of at least minixmim length. 
♦/ 

#ifdef ICMPPRINTFS 

if (icmpprintfs) 

printf { "icmp^input from %x, len%d\n", ip->ip_src, icmplen); 

#endif 

if (icmplen < ICMP_MINLEN) ( 

icmpstat. icps_tooshort++? 

goco freeit; 

) 

i = hlen + MIN( icmplen, ICMP_ADVLENMIN) ; 
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if. (m->nulen < i (m = in_pullup{m, i) ) == 0) { 
icmpstat. icps_tooshort't-+; 
return; 

p = mtod<m, struct ip *) ; 
m->m_len -= hlen; 
m->n\__data += hlen; 
icp = mtod(m, -struct icmp *); 
if (in_cksum(m, icmplen)) ( 
^0 icinpstat,icps_checksum++; 

goto freeit; 

) 

m->n\.len += hlen; 
in->nL.<3iata -= hlen; 

#ifdef ICMPPRINTFS 

* Message type specific processing. 
V 

if <icmpprintfs) 

printf ("icmp^input, type %d code %d\n", icp- >icmp_ type, 
20 icp->icn!p_code) ; 

«endif 

if (icp->icinp_type > ICMP^MAXTYPE) 
goto raw; 

icmpstat . icps_inhist [ icp->icmp_type] 4+; 
code « icp->icmp^code; 
25 switch (icp->icnip_type) { 

case ICMP_UNREACH : 

if (code > 5) 

goto badcode; 
code += PRC_UNREACH_NET; 
30 goto deliver; 

case ICMP_TIMXCEED: 

if (code > 1) 

goto badcode; 
code ♦= PRC_TIMXCEED_INTRANS; 
35 goto deliver; 

case ICMP_PARAMPROB : 
if (code) 

goto badcode; 
code = PRC_PARAMPROB; 

goto deliver; 

case ICMP_SOORCEQUENCH: 
if (code) 

goto badcode; 
code = PRC.QUENCH; 

deliver: 

/* 

* Problem with datagram; advise higher level routines. 
*/ 

if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) || 
icp->icnp_ip.ip.hl < (sizeof (struct- ip) » 2)) ( 
icmpstat . icps_badlen++; 
goto freeit; 

} 

NTOHS(icp->icmp_ip.ip_len) ; 
iifdef ICMPPRINTFS 

if (icmpprintf s) 

printf (-deliver to protocol %d\n*, icp->icnp_ip. ip_pl ; 

55 #endif 

icmpsrc . sin_addr = icp->icmp_ip. ip_dst ; 
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.if (ctlfunc = inetsw[ip^rotox[icp->icinp_ip. ip-_p3 ] .pr.ctlinput) 
(*ctlfunc) (code, (struct sockaddr *)&icmpsrc, 
(caddr_t) &icp->icmp_ip) ; 

^ break; 
badcode; 

icmpstat. icps_badcode++; 
break; 

10 case ICMP^ECHO: , - 

icp->icn5)_type = ICMP.ECHOREPLY; 
goto reflect; 

case ICMP.TSTAMP: 

if (icmplen < ICMP.TSLEN) ( 
IS icmps tat . icps_badlen++; 

break; 

icp->icii^_type = ICMP^TSTAMPREPLY; 

icp->iciiip_rtime = iptimeO; ^ i ^ . 

icp->icinp_ttiine = icp->icmp_rtiine; /* bogus, do later! •/ 

20 goto reflect; 

case ICMP_IREQ: 
#define satosin(sa) ((struct sockaddr^in *)(sa)) 

if (iiunetof (ip->ip_src) == 0 && 

(ia = ifptoia(m->irupkthdr.rcvif))) 

ip->ip«src = injnakeaddr ( in_netof ( IA.SIN ( ia) ->sin_addr ) , 
ixulnaof ( ip->ip_src) ) ; 
icp->icnip_type = ICMP^IREQREPLY; 
goto reflect; 

case ICMP_MASKREQ: 

if (icmplen < ICMP.MASKLEN || 
30 (ia = ifptoia(m->nupkthdr.rcvif ) ) == 0) 

break; 

icp->icit«)_type = ICMP_MASKREPLY; 

icp->iciTip_inask = ia->ia_sockmask. sin_addr . s_addr; 

if (ip->ip_src.s_addr == 01 { 

if (ia->ia_ifp->if_flags & IFF.BROADCAST) 
35 ip->ip_src = satosin(tia->ia„broadaddr) ->sin_addr; 

else if (ia->ia_ifp->if^flags & IFF.POINTOPOINT) 

ip->ip_src = satosin(&ia->ia_dstaddr)->sin_addr; 

} 



reflect: 

40 



ip->ip-len hlen; /* since ip_input deducts this */ 

icrapstat.icps.reflect+-t-; 

icmpstat . icps_outhist ( icp->icinp_type J ♦+; 

icmp_reflect(m) ; 

return; 



/* Hung W Oct 28, 1994 */ 
iifndef MILKYWAY^BH 

case ICMP_REDIRECT: , , , 

if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ) ( 
icmpstat. icps_badlen++; 
break; 

} 

/* 

so * Short circuit routing redirects to force 

* immediate change in the kernel's routing 

* tables- The message is also handed to anyone 

* listening on a raw socket (e.g. the routing 

* daemon for use in updating its tables). 

55 icmpgw.sin_addr = ip->ip_src; 
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#ifdef 



#endif 



10 



IS 



20 



25 



. lcii«>dst .sin^addr = icp->icinp_gwaddr;. 
ICMPPRINTFS 

if (icmpprintfs) 

printf ("redirect dst %x to %x\n"i 

icp->icinp_gwaddr) ; 



icp->icmp_ip. ip_dst, 



«endif 



if (code == ICMP_REDIRECT_NET | | code == ICMP_REDIRECT_TOSNET) { 

u_long in_neto£ ( ) ; 

icmpsrc.sin_addr = 
in_rnakeaddr ( in_netof (icp->icmp_ip . ip_dst) , INADDR.ANY) ; 

in_soc)anaskof (icp->icnp_ip.ip_dst, fiticthpmask) ; 

rtredirectC (struct sockaddr *)&icmpsrc, 
(struct sockaddr *)&icmpdst, 
(struct sockaddr * ) fiicmprtiask, RTF_GATEWAY, 
(struct sockaddr *)&icmpgw, (struct rtentry **)0)? 

icn^src.sin_addr = icp->icin3e>_ip.ip_dst; 

pf CtlinpUt ( PRC_REDIRECT_NET, 

(Struct sockaddr *)&icinpsrc) ; 

} gXsg { 

icmpsrc.sin_addr = icp->icnp_ip. ip^dst.- 
rtredirect ( (struct sockaddr *)&icinpsrc, 
(struct sockaddr *) tictt«)dst, 

(struct sockaddr *)0, RTF.GATEWAY | RTF_H0ST, 
(struct sockaddr •)&icmpgw, (struct rtentry **)0); 
pf c t linput ( PRC_REDIRECT_H0ST , 
(struct sockaddr *)&icmpsrc}; 

} 

break; 



30 



35 



40 



raw: 



* NO kernel processing for the following; 

* just fall through to send to raw listener. 
♦/ 

case ICMP_ECH0REPLY: 
case ICMP_TSTAMPRBPLY: 
case ICMP_IREQREPLY: 
case ICMP.MASKREPLY: 
default: 

break; 

} 



icmpsrc.sin_addr = ip->ip_src; 
icmpdst.sin_addr = ip->ip_dst; 

(void) raw_input (m, ticrt^roto, (struct sockaddr *)&icn^src, 

(struct sockaddr *) fcicmpdst) ; 
return; 



45 
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55 



freeit: 
) 



nufreem(ml i 



* Reflect the ip packet back to the source 
*/ 

icmp_ref lect (m) 

struct nibuf *in; 

register struct ip *ip = mtoddn, struct ip *); 
register struct in.ifaddr *ia; 
struct in_addr t; 

struct mbuf *opts = 0, *ip_srcroute 0 ? 

int optlen = (ip->ip«hl « 2) - sizeof (struct ip) ; 

t = ip->ip_dst; 
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ip,->iP-jist = ip->ip_src; 
/* 

* If the incoming packet was addressed directly to us, 

5 * use dst as the src for the reply, otherwise (broadcast 

* or anonymous), use the address which corresponds 

* to the incoming interface. 
*/ 

for (ia = in ifaddr; iaj ia = ia->ia_next) ( 

if (t.s^addr == IA_SIN(ia> ->sin_addr .s^addr) 
10 break; 

if ((ia->ia„ifp-> if. flags & IPPJROADCAST) &t ' 

t.s^addr == satosin(icia->ia_broadaddr) ->sin_addr .s_addr) 

break; 

if (ia == (struct in_ifaddr *)0) 

ia = ifptoia(m->m_pkthdr.rcvif ) ; 
if (ia == (struct in_ifaddr *)0) 

ia = in_ifaddr; 
t = IA_SIN{ia)->sin_addr; 
ip->ip_src = t; 
ip->iP-ttl = MAXTTL; 

if (optlen > 0) { 

register u_char *cp; 
int opt, cnt; 
u_int len; 

/* 

25 * Retrieve any source routing from the incoming packet; 

* add on any record-route or timestamp options. 
•/ 

cp = (u_char *) (ip + 1); 

if ((opts = ip_srcroute ( ) ) == 0 && 

(opts = m_gethdr(M_DONTWAlT, MT.HEADER) ) ) { 

opts->irulen = sizeof (struct in_addr) ; 

mtod(opts, struct in_addr *>->s_addr = 0; 

) 

if (opts) ( 
#ifdef ICMPPRINTFS 

if (icitqpprintfs) 

printf ("icwp_reflect optlen %d rt %d => 
^ optlen, opts->m_len) ; 

#endif , <. « , 

for (cnt = optlen; cnt > 0; cnt len, cp += len) < 
opt = cp[IP0PT_OPTVALl; 
if (opt == IPOPT_EOL) 
break; 

40 if (opt == IPOPT^NOP) 

len =1; • 

else { 

len = cp[IPOPT„OLEN] ; 
if (len <= 0 II len > cnt) 
break; 

>. 

* should check for overflow, but it "can't happen" 
*/ 

if (opt «- IPOPT_RR II opt == IPOPT^TS) { 
bcopy ( ( caddr.t ) cp , 

rotod(opts, caddr_t) + opts->m_len, len), 
opts->m_len += len; 

) 

if (opts->m_len % 4 != 0) { 

*(mtod(opts, caddr_t) + opts->nulen) = IPOPT^EOL; 
opts->m_len++ ; 

55 
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> 

iifdef ICMPPRINTFS 

if (icmpprintfs) 

print f ( "%d\n" , opts->m_len) ; 



»endi£ 



) 



} 

/* 

* Now Strip out original options by copying rest of first 

♦ rnbuf's data back, and adjust the IP length. 
♦/ 

ip->ip_lGn -= optlen; ' 

ip->ip_hl = sizeof (struct ip) » 2; 

m->ia_len -= optlen; 

if (xn->nuflags & M_PKTHDR) 

m->nupkthdr . len -= optlen; 
optlen += sizeof (struct ip) ; 
bcopy( (caddr_t)ip + optlen. (caddr_t)(ip + 1), 

(unsigned) (m->n\_len - sizeof (struct ip) ) ) ; 

m->nuflags &= -(H_BCAST|H_MCAST) ; 
icmp.send(m, opts) ; 
if (opts) 

(void) mj£ree ( opts ) ; 



struct in_ifaddr * 
ifptoia{ifp) 

struct if net ♦ifp; 



( 



register struct in^ifaddr *ia; 

for (ia = in_ifaddr; ia; ia = ia->ia_next) 
if (ia->ia_ifp == ifp) 
return (ia); 
return ((struct in_ifaddr •)0); 



* Send an icrap packet back to the ip level, 

* after supplying a checksum. 
V 

icmp.senddn, opts) 

register struct tnbuf *m; 
struct mbuf *opts; 

register struct ip *ip = mtoddn, struct ip ♦); 
register int hlen; 
register struct icmp *icp; 

hlen = ip->ipjil « 2; 
m->m_data +» hlen; 
m->iiulen -= hlen; 
icp = mtoddn, struct icnp *); 
icp->icii!P_cksum =0; 

icp->icnip_cksuin = in_cksuin(ni, ip->ip„len - hlen); 
in->irL.data -= hlen; 
m->nulen += hlen; 
#ifdef ICMPPRINTFS 

if (icn^printfs) , . , 

printf ("icmp_send dst %x src %x\n", ip->ip_dst, ip->ip«src) ; 

#endif 

(void) ip_output(in, opts, (struct route *)0, 0); 

) 

n_time 
iptimeO 
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struct timeval atv; 
u_long t; 

icrotime(&atv) ; , 
t = (atv.tv.sec % (24*60*60)) * 1000 + atv.tv.usec / 1000; 
return (htonl (t) ) ; 



APPENDIX B 



MODIFICATIONS TO PROXY FTP AND PROXY TELNET SOURCE CODE 
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10 



IS 



20 



25 



30 



35 



40 



45 



SO 



jupiter-I/milkyway/devel/hungvu/milkyway/proxies/ftp) 75 >diff proxy-ftp. c /home 

/ho ctub/hungvu/archive/ f wtk/ f tp-gw/ f tp-gw . c * 

lcl,2 

< /* Copyright (c) 1993. Trusted Information Systems, Incorporated 
> 

> * Copyright (c) 1993, Trusted Information Systems, Incorporated 
11.17cl2,13 

< /* 

< ♦ copyright (c) 1994. Milkyway Networks Corporation 

< ♦ All rights reserved. 

< ♦/ 

< /♦ 

< ♦ Modified by Hung Vu March 26, 1994 to support real proxy ftp 



< */ 






> static 


char Reside ) = 


"SHeader: f tp-gw. c,v 1.8 94/02/11 11:04:34 


Exp $"; 

> 






26a23,24 






> # include 


<arpa/ftp.h> 




> # include 


<arpa/telnet . h> 




31,35d28 






< # include 


<arpa/f tp.h> 




< # include 


<arpa/telnet.h> 




< # include 


<arpa/inet. h> 




< # include 


<sys/f ile.h> 




< # include 


<net/i£.h> 




47c40 






< tdefine 


VERSION -1.0" 




> ^define 


VERSION "1.3" 




74d66 






< static 


int 


authneeded = 1; 


99,101d90 






< static int 


cmciLenableO ; 




< static int 


cmd_disable ( ) ; 




< static 


void get.enablename ( ) ; 


109d97 






< #define 


OP_DISABLED 0100 /* Has been disable */ 


117,120dl04 






< "en" , 


OP^AUTH, 


cmd_enable, 


< " enable 


OP_AUTH , 


cmd^enable, 


< "dis". 


OP_AUTH, 


cmd_di sable, 


< -disable". op^auth. 


cmd.di sable, 


127dllO 






< "xcwd". 


OP_CONN, 


0, 


129dlll 






< "scpwd* , 


OP.CONN, 


0. 


134dll5 




0, 


< "xcup". 


OP_CONN, 


143dl23 




0, 


< -xrmd", 


OP_CONN, 


145dl24 




0, 


< "xmkd", 


OP_CONN, 


147dl25 




0, 


< "xpwd", 


OP_CONN, 


167dl44 




0, 


< "xrmd", 


OP.CONN, 


169dl45 






< "xmkd", 


OP^CONN, 


0, 



178,182dl53 

< static struct 

< static char 

< static int 
< 



sockaddr_in f inal_sockaddr; 

f inal_address[128] ; 

final_len = sizeof (f inal^sockaddr) ; 
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197dl6.7 . 

< char *ptr; 
200,217cl70 

< enlog ( "proxy-ftp" , LOG_PID) j 

< «el5e 

< openlog ( "proxy- ftp" , LOG_PID|LOG.NDELAy. LPAC) ; 

< #endi£ 
< 

< /* Hungvu March 26. 1994 */ 

< /* First get socket name */ ' 

< get sockname(0, (struct sockaddr *) &f inal.sockaddr , &f inal_len) ; 

< ptr = inet_ntoa(f inal_sockaddr.sin_addr) ; 

< strcpy(&final_address(0] ,ptr) ; 
< 

< /* 

< syslog(LLEV, "final address is %s or %s'* ,ptr, f inal.address) ; 

< */ 
< 

< if (pirate^checkO) { 

< «ifdef BSDI 

< syslogCLLEV, Wrong License info %lx and %lx", getetheraddr ( 
0), getetheraddr (II }; 

> openlog { " f tp-gw" , LOG_PID) ; 
219 220cl72 

< ' syslog{LLEV, "*** Wrong License info for HOSTID = %x".gethosti 
d( 

< )); 

> openlog ( • f tp-gw- , LOG_PID | L0G_NDELAY , LPAC ) ; 
222,223dl73 

< exitd)? 

< ) 

227C177 

< if((confp = cfg_read ( "proxy-ftp" ) ) <Cfg *)-!) 

> if((confp a cfg_read("f tp-gw")) == (Cfg *)-ll 
295d244 

< /* 
306d254 

< V 

308,316d25S 

< if (chdir(ENABLE_DIRECTORY) ) ( 

< syslog(LLEV, -Chdir %s: %m'', ENABLE.DIRECTORY) ; 

< exit(l); 

< ) 

< if (Chroot (ENABLE^DIRECTORY) ) { 

< syslog(LLEV, "chroot %s: %m"i ENABLE^DI RECTORY ) ; 

< exit(l); 

< } 

< chdir (■/■) ; 
375C314 

< sprintf (xuf, "220 %s proxy-FTP (Version %s) ready. " ,huf,V 
ERSION) ; 

> sprintf (xuf , "220 %s FTP proxy (Version %s) ready ." ,huf,V 
ERSION) ; 

401,404d339 

< #ifdef MICRO_BH 

< if (exceec^number (1) ) goto offnow; 

< change.nuniber (1,1); 

< #endif 
422,425d356 

< «ifdef MICRO.BH 

< change_nuinber ( - 1 * 1 ) ; 
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10 



IS 



25 



30 



45 



< goto offnow; 

< #enclif • 
432,433c363,364 

< if(rf<i != -1 && PD_ISSET(rfcl,&rdy)) 

< if (peerreplyO) 



437,438c36B«369 



if (FD_ISSET(0,&rdy) 1 
if (usercind{ ) ) 

if (FD_ISSET(0,fcrdy) ) 
if (usercmdO ) 

if(rfd 1= -1 && PD_ISSET(rfd,&rdy)) 
if (peerreplyO ) 



456,459d386 

< #ifdef MICROJH \ 

< change_nuinber (-1,1); 

< offnow: 

< #endif 
4e7,516d413 

< /* 

< Hung VU April 16, 1994 

< get enable.name 

< •/ 

20 < Static void 

< get.enabl ename ( enable.naine ) 

< char *enable_naine; 

< { 

< strcpy {enable_name,ENABLE_DIRECTORYCR) ; 

< s treat ( enable.name « r iaddr ) ; 

< } . 
< 
< 

< static int 

< cmd_enable(ac,av,cbuf ) 

< int ac; 

< char *av(] ; . 

< char ♦cbuf; 

< ( 

< int fd; 

< char enable.name [ 5 12 ) ; 
< 

< get_enablenaine(enable_name) ; 

< if ( <fd = open {enable_name,0_CREAT, 0660) ) == -1 ) return ( 1) ; 
35 < close (fd); 

< s ay (0 , "Transparent mode enabled"); 

< syslogdiLEV, "Transparent mode enabled for host %s", r iaddr ) ; 

< return (0); 

< ) 
< 

518.532d414 

< static int 

< cmd_disable(ac,av,cbuf ) 

< int . ac; 

< char *av[3 ; 

< char *cbuf; 



< < 

< int fd; 

< char enable„name (512]; 
< 



get.enabl ename ( enab 1 e_naroe ) ; 

< unlink ( enab 1 e_name ) ; 

< say (0, "Transparent mode disable"); 

< syslog(LLEV, -Transparent disable for host %s'', riaddr) ; 
50 < return (0); 



SS 
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538,540(1419 

< , int fd; 

<i Char enabl e_„naine [5121; 

< '^har buC[2]; 
556,569 ;4 

< 

< /* Check for transparent mode enabled. Hung Vu April 16, 1994 ♦/ 

< get_enabl ename ( enabl e_naine ) ; 

< if { (fd = open<enable_naine, O^RDONLY.O)) 1= -1) 



< authenticated =1; /* authenticated aire 
10 ady */ 

< read(fd«buf ; 1) ; 

< close (fd); 

< - ) else { 

< FtpOp •op; 

< for(Op = ops; op->name != (char *)0; op+ 

IS 

< if((op->flg fc 0P_AOK) == 0) 

< Op->flg 1= OP_AOTH I 0P_ 
DISABLED? 

< authallf lg++; 

< ) 
577d441 

20 < syslog(LLBV, "deny hosts%s/%s use of gateway" , rladdr. riaddr) : 

666d529 

682,692cS45 

< if (!strcmp(c->argv(x] , Vnoauth") ) { 

< FtpOp *op; 
< 

25 < for (op « ops; op->name != (char ♦)0? op++) 

< if((op->flg & OP^AOK) == 0) 

< if (op->flg & OP^DISABLED) 

< op->flg &= lOP.AUTH; 

< authallflg = 0; 

< continue; 

30 < > 
< 

> /* default turn on auth for ALL transactions */ 



708dS60 
< 

748,750c600 
35 < /* Modified Hungvu Mar 26 1994 */ 



< static char noad[] = "501 Enter user username or user usernameSsite 
to connect via proxy"; 

< 

> static char noadd = "501 Use user^site to connect via proxy"; 

755d604 

< struct sockaddr^in tsockaddr; 
771.785c620,625 

< /• 

< It is all here for real proxy-top: 

< If user enter only username then used the 

< original destination address 

.45 < V 

< if((p = rindex(av(lj , == (char *)0) { 

< if (av(l] (char *)0) return(sayn(0,noad,slzeof (noad) } ) ; 

< else p = &f inal_address(0] ; 

< } 

< else ( 

< *p = '\0' ; 

SO < P + +; 

< if(*p == 'NO') 
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< . p = &f inal.address [0] ; 

< . } 

> ^f((p = rincLex(av[l] . '0') ) == (char *)0) 

5 > return (sayn(0,noad, si zeof<noad) )) ; 

> P++; 
> 

> if(*p == '\0') 

> p = "localhosC"; 

804.810d643 ^ . . 

< /* Modified by Hungvu May 28, 1994. Do not connect if connect back to self */ 
TO < tsockaddr-sin_addr,s_addr = inet.addr (p) ; 

< if ( checkmyaddr (ttsockaddr) 0 ) ( 

< sprintf (buf , " Already connected to %s ",p); 

< return < say ( 0 , buf ) ) ; 

< ) 

< 

829d661 

< /♦ 
832d663 

< »/ 
883c714 

< sprintfdbuf, "authorize %s 'proxy-ftp %s/%s' " ,av[ll . rladdr. riadd 
r); 

> sprintfdbuf, "authorize %s 'ftp-gw %s/%s ' " , av[ 1] , rladdr, riaddr) ; 
1161C992 

< kbuf(2) = lAC; 

> kbuf[l] = lAC; 
1182.1184dl012 

2S < #ifdef MICRO_BH 

< change^nuniber ( -1 « 1 ) ; 

< #endif 
165Sal484,1485 
> 

> 

30 



35 



IS 



20 



40 



45 



50 



SS 
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jupiCer-C/home/hottub/hungvu/archive/fwtk/tn-gw] 70 >diff proxy- telnet .c /home/h 
o ttub/hungvu / archive / fwtk / tn-gw/ tn-gw . c 
T-aB . 
> 

ll,17cl 

< /* 

< * Copyright (c) 1994, Milkyway Networks Corporation 

< * All rights reserved. 

< */ 

< /* 

< * Modified by Hung Vu March 26, 1994 to support real proxy telnet 

< */ 

>'static char Rcsld[l = "SHeader: tn-gw.c,v 1.6 94/02/11 11:04:41 mjr 

E3q? $■; 

a5,36d29 

< #include <net/if.h> 

IS < # include <sys/file.h> 
51C44 

< #define VERSION -Vl.O" 

> #define VERSION "Vl.S- 

57c50 



TO 



20 



25 



45 



55 



< Static int authneeded = 1? 

> static int authneeded = 0; 

84,87d76 

< static int cmd^enable { ) ; 

< static int cind_di sable {) ; 

< static void get^enablename ( ) ; 



.95,96d83 . . ^ 

< -enable", " enable tranparent mode", cmd_enaDle, 

< "disable". " disable tranparent mode", cmd_disable. 
124,130clll 

< openlog( "proxy- telnet ",LOG_PID) ; 

< #else 

30 < openlog ( "proxy- telnet " , LOG_PID | LOG^NDELAY . LFAC ) ; 

< #endif 

< if (pirate_check( > ) { 

< #ifdef BSDI ^ , 

< syslog(LLEV, Wrong License info %lx and %lx", getetheraddr ( 

0 ) , getetheraddr ( 1 ) ) ; 

35 — — 

> openlog ( " tn-gw" , LOG_PID) ; 

132cll3 syslogCLLEV. ■*♦• Wrong License info for HOSTID = %x",gethosti 

dO); 

> openlog ( " tn-gw" , LOG^PID | LOG_fIDELAY , LFAC ) ; 
40 134,135dll4 

< exit(l); 

< ) 
140C119 

< if((confp = cfg.readC "proxy-telnet")) == (Cfg *)-l) 

> if((confp « cfg_read("tn-gw-) ) (Cfg *)-l) 
192dl70 

< /* 
203dl80 

< */ 

205,213dl81 

< if (chdir (ENABLE_DIRECTORY) ) ( 

SO < syslog(LI.EV, "chdir %s: %m" , ENABLE_DI RECTORY ) ; 

< exit(l); 

< } 
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< if (chrOOt(ENABLE_DIRECTORy) ) { 

< * syslog(LLEV, "chroot %s: %m", ENABLEJIRECTORY) ; 
<■ . exit(l); 

< } 

< chdir(-/-); 
265C233 

< proinpt = "proxy- telnet-> 

> prompt = "tn-gw-> 
286c254 

< sprintf(xuf , -%s proxy- telnet (Version %s) ready : 'Shu f, VERSION) ; 

> sprintf (xuf , ''%s telnet proxy (Version %s) ready; huf, VERSION) ; 
297,300d264 

< /* Modified HungVu Mar 27. 1994 

< to support real proxy-telnet 

< */ 

< if (notnyaddrO ) goto main.loop; 
306C270 

< goto leave2; 



> goto leave; 

309,313d272 

< mair\_locp: 

20 < #ifdef MICRO.BH 

< if (exceedLnumber (1) ) goto leave2j 

< change^nxixnber (1 , 1) ; 

< #endif 
319a279 
> 

322.325d281 
2S < #ifdef MICRO JH 

< change_nuinber (-1,1); 

< goto leave2; 

< #endif 
383,386d338 

< #ifdef MICROJH 

< change.nuinber (-1,1); 

< #endif 

< leave2: 
508,S50d459 

< static void 

< get_enablename(enable_name) 

< char *enaJble_naine; 
35 < { 

< strcpy (enable_name,ENABLE_DIRECTORYCR) ; 

< strcat(enable_nazne,riaddr) ; 

< ) 
< 

< 

< static int 

< cmd_enable(acrav,cbuf ) 

< int ac; 

< char *av[ 1 ; 

< char *cbuf; 

< { 

< int fd; 

< char enable_naniet5l2] ; 
< 

< get enablenaine(enable_name) ; 

< if T (fd = open (enable_naine,0„CREAT, 0660) ) == -1 ) return(l); 

< close (fd) ; 

< say (0, "Transparent mode enabled"); 

< syslog(LLEV, ''Transparent enabled for host %s'*, riaddr) ; 
50 < return ( 0); 

< } 
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< static , int 

< cind_disable(ac, av,cbuf ) 



10 



IS 



20 



25 



30 



35 



40 



45 



SO 



< int 

< char 

< char 

< ( 



ac; 

*av[]f 
•cbuf ; 

int 
char 



fa; 

enabl e_name [512]; 



get^enablename (enable_naine) ; 
unlink ( enabl e^naune) ; 

say (0, "Transparent mode disable'); 

syslog(LLEV, -Transparent disable for host %s". riaddr) ; 
return (0) ; 



enabl e.name [512]; 
fd; 

buf [2]; 



< 
< 
< 
< 
< 
< 
< 

< ) 
< 

555,557d463 

< char 

< int 

< char 
571,577d476 
< 
< 
< 

( 
< 
< 

< 
< 

< sys log (LLEV, 'deny host=%8/%s use of gateway" , riaddr, riaddr) 
625dS22 

< /• 

627.631d523 

< V 
< 
< 
< 
< 

669a562 
> 

1045c93e 
< 

ddr, riaddr) ; 



get_enabl€name(enable_name) ; 

if ( (fd = open ( enabl e^name, O_RDONLY,0)) != -1) 

read(fd,buf ,1); 
authneeded = 0; 
close (fd); 
> else authneeded = X; 



continue; 

) 

if ( !strcmp(c->argv[x) . "-noauth") ) { 
authneeded = 0; 



sprintf (cbuf , "authorize %s 'proxy-telnet %s/%s* ■ ,buf ,rla 
sprintf (cbuf , "authorize %s 'tn-gw %s/%s buf , riaddr, ria 



ddr); 

1381, 1385C1274, 1276 

< /* 

< Check if the address of the socket is not ray address. 

< If not call cmd^connect to connect immediately , to the far end 

< */ 

< notmyaddrO 



> 

> «ifdef 

> debugbindO 
1387, 1398cl27.8, 1280 



BINDDEBUG. 



struct 

char 
char 
char 

int 



sockaddr^in 



f inal_sockaddr; 

f inal_address[1281 ; 
final^ort(16); 
*av[3]; 

f inal_len=s izeof ( f inal_sockaddr ) ; 
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< getsockname(0, (struct sockaddr • ) &f inal^sockaddr ,&f inal.len) ; 

< ' itoa(ntohs(f inal_sockaddr.sin_port) , fina Import ) ; 

< strcpy (final^address, inet^ntoa (f inal_sockaddr . sin_addr) ); 
^ < gvIO] = <char *) (0) ; 

< {1) = £inal_address; 

< av[2) = final_port; 

> struct sockaddr_in raya; 

> int x; 

10 > int nread; 
1400, 1401C1282, 1291 

< #ifdef lODEBUG , r . , 

< syslog(LLEV, -final address is %s port is %s% f mal^address, f inal^port 

); 

g > if{(x s socket (AF^INET, SOCK.STREAM, 0) ) < 0) ( 

> per ror ( " socket " ) ; 

> exitd); 

> > 

> nya.sin^family = AP_INET; 

> bzero(&inya.sin_addr,si2eof (mya.sin^addr) ) ; 

> #ifndef bindoebugport 

20 > raya.sinjort ^ htons (TNPORT) ; 

> #else 

> mya.sin_port - htons (BINDDEBUGPORT) ; 
1403, 1408C1293, 1308 

< 

< if (checknyaddr (&f inal_sockaddr) == 0) return (0) ; 
25 < 

< /* Not my address, do connection to the far end */ 

< cind_connect (3, av. (char *)(0)); 

< return(l); 

> if (bind (X, (struct sockaddr *) &mya, sizeof (mya) ) ) { 

> perror ( "bind" ) ; 

> exitd) ; 

> } 

> if (listen(x,l) < 0) { 

> perror* "listen") ; 

> exitd); 

> > 

35 > if ((nread = accept (x, 0, 0) ) < 0) { 

> perror ( "accept" ) ; 

> exit(l); 

> ) 

> close(O) ; 

> dup (nread) ; 
4Q > closed); 

> dup (nread) ; 
1409al310 

> #endif 



Claims 

1 . A method of providing a secure gateway between a private network and a potentially hostile network, comprising 
50 the steps of: 

a) accepting from either network all communications pacl<ets that are encapsulated with a hardware destination 
address which matches the device address of the gateway; 

b) determining whether there is a process bound to a destination port number of an accepted communications 
55 packet; 

c) establishing a first communications session with a source address/source port of the accepted communi- 
cations packet if there is a process bound to the destination port number, else dropping the packet; 

d) establishing a second communications session with a destination address/destination port of the accepted 
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communications packet if a first communications session is established; and 

e) transparently moving data associated with each subsequent communications packet between the respective 
first and second communications sessions, whereby the first session communicates with the source and the 
second session communicates with the destination using the data moved between the first and second ses- 
5 sions. 

2. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 1 wherein the step of determining involves checking to determine if a process is bound to the destination 
port number, and passing the packet to a generic process if a process is not bound to the destination port number, 

10 the generic process acting to establish the first and second communications sessions and to move the data between 

the first and second communications sessions. 

3. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
In claim 1 wherein the method further involves the steps of: 

15 

a) checking a rule base to determine if the source address requires authentication; and 

b) authenticating the source by requesting a user identification and a password and referencing a database 
to determine if the user identificatbn and password are valid. 

20 4. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 1 wherein the method further involves the steps of: 

a) referencing a rule base after the first communications session is established to determine whether the 
source address is permitted to access to the destination address for a requested type of service; and 
^£ b) cancelling the first communications session If the rule base does not include a rule to permit the source 

address to access the destination address for the requested type of sen/ice. 

5. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 3, wherein the method further involves the steps of: 

30 

a) creating a user authentication file which contains the source address of the authenticated user in a user 
authentication directory; and 

b) referring to the authentication file to determine if a source address has been authenticated each time a new 
communications session is initiated so that the gateway is completely transparent to an authenticated source. 

3S 

6. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 5 wherein the user authentication file includes a creation time variable which is set to a system time value 
when the user is authenticated. 

40 7. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 6 wherein the method further involves the steps of: 

a) updating a modification time variable of the authentication file each time the user initiates a new communi- 
cations session through the gateway station. 

45 

8. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 7 wherein the method further involves the steps of: 

a) periodically checking each user authentication file to determine whether one of a first difference between 
50 the authentication time variable and the system time and a second difference between the modification time 

variable and the system time has exceeded a predefined threshold; and 

b) deleting the user file from the user authentication directory if the threshold has been exceeded by each of 
the first and second differences. 

55 9. A method for providing a secure gateway between a private network and potentially hostile network as claimed in 
claim 1 wherein the method further Involves the steps of: 

a) performing a data sensitivity check on the data associated with each packet as a step in the process of 
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moving the data between the respective first and second communications sessions. 

10. A method of providing a secure gateway between a private networic and a potentially hostile network, comprising 
the steps of; 

5 

a) accepting from either network all TCP/I P packets that are encapsulated with a hardware destination address 
which matches the device address of the gateway; 

b) determining whether there is a proxy process bound to a port for serving a destination port number of an 
accepted TCP/IP packet; 

10 c) establishing a first communications session with a source address/source port number of the accepted 

TCP/I P packet if there is proxy process bound to the port for serving the destination port number, else dropping 
the packet; 

d) determining if the source address/source port number of the accepted packet is permitted to communicate 
with a destination address/destination port number of the accepted packet by referencing a rule base, and 
15 dropping the packet if a permission rule cannot be located; 

d) establishing a second communications session with the destination address/destination port number of the 
accepted TCP/I P packet if a first communications session Is established and the permission rule is located; and 

e) transparently moving data associated with each subsequent TCP/IP packet between the respective first 
and second communications sessions, whereby the first session communicates with the source and the second 

20 session communicates with the destination using the data moved between the first and second sessions. 

11. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
In claim 10 wherein the step of determining involves checking a table to determine if a custom proxy process is 
bound to the destination port number, and passing the packet to a generic proxy process if a custom proxy process 

2S is not bound to the destination port number, the generic proxy process being executed to establish the first and 

second communications sessions and to move the data between the first and second communications sessions. 

12. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 10 wherein the method further involves the steps of: 

30 

a) checking a rule base to determine if the source requires authentication; 

b) checking an authentication directory to determine if an authentication file exists for the source in an Instance 
where the source requires authentication; and 

c) If the source requires authentication and an authentication file for the source cannot be located, authentl- 
35 eating the source by requesting a user identification and a password and referencing a user identification 

database to detemnine if the user Identification and password are valid. 

13. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 10 wherein the method further involves the steps of: 

40 

a) referencing a rule base after the first communications session is established to determine whether a user 
identification/password at the source address is permitted to communicate with the destination address for a 
requested service; and 

b) cancelling the first communications session if the rule base does not include a rule to permit the user iden- 
^ tification/password at the source address to communicate with the destination address for the requested type 

of sen/ice. 

14. A method of providing a secure gateway between a private network and a potentially hostile networi^ as claimed 
in claim 12, vyherein the method further involves the steps of: 

so 

a) creating a user authentication file which contains the source address of the authenticated user in a user 
authentication directory; and 

b) referring to the authentication file to determine if a source address has been authenticated each time a new 
communications session is initiated so that the gateway is completely transparent to an authenticated source 

^ having an authentication file in the authentication directory. 

15. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 14 wherein a file creation time variable which is automatically set by an operating system of the gateway 
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station to a system time value when a file is created, is used to monitor a time when the user is authenticated. 

16. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
In claim 14 wherein the method further involves the steps of: 

5 

a) rewriting the user authentication file each time the user initiates a new communications session through 
the gateway station so that a modification time variable in the authentication file is automatically updated by 
the operating system of the secure gateway 

TO 17. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
In claim 16 wherein the method further involves the steps of: 

a) periodically checking each user authentication file to determine whether one of a first difference between 
the authentication time variable and the system time and a second difference between the modification time 

IS \ variable and the system time has exceeded a predefined threshold; and 

b) deleting the user file from the user authentication directory if the threshold has been exceeded by both of 
the first and second differences. 

1 8. A method for providing a secure gateway between a private network and potentially hostile network as claimed in 
20 claim 1 0 wherein the method further involves the steps of: 

a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving 
the data between the respective first and second communications sessions, whereby the TCP/IP packet Is 
passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts 
25 the data from the packet and passes the data from a one of the first and second communications sessions to 

a proxy process which operates at an application layer of the gateway station and the proxy process executes 
data screening algorithms to screen the data for elements that could represent a potential security breach 
before the data Is passed to the other of the first and second communications sessions. 

30 19. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network, comprising in combination: 

a gateway station adapted for connection to a telecommunications connection with each of the private network 
and the potentially hostile network; 
3S an operating system executable by the gateway statbn. a kernel of the operating system having been modified 

so that the operating system: 

a) cannot fonward any communications packet from the private network to the potentially hostile network 
or from the potentially hostile network to the private network; and 
40 b) will accept for processing any communications packet from either of the private network and the poten- 

tially hostile network provided that the packet is encapsulated with a hardware destination address that 
matches the device address of the gateway station on the respective network; and 

at least one proxy process executable by the gateway station, the at least one proxy process being adapted 
45 to transparently initiate a first communications session with a source of an initial data packet accepted by the 

operating system and to transparently initiate a second communications session with a destination of the 
packet, and to transparently pass the data portion of packets received by the first communications session to 
the second communications session and to pass the data portion of packets received by the second commu- 
nications session to the first communications session, whereby the first session communicates with the source 
50 using data from the second session and the second session communicates with the destination using data 

received from the first session. 

20. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed In claim 19 wherein the operating system is a Unix operating system. 

55 

21 . Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 1 9 wherein the at least one proxy process includes modified public domain proxy 
processes for sewicing Telnet, FTP, and UDP communications. 
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22. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the at least one proxy process is a generic proxy process capable of 
servicing any network service which may be communicated within TCP/IP protocol, on any one of the 64K TCP/IP 
communications ports. 

5 

23. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 22 wherein the kernel is modified so that it will pass to the generic proxy process any 
communications packet having a destination port number that indicates a port to which no custom proxy process 
is bound, if the generic proxy process is bound to a predefined communications port when the communications 

10 packet is received by the kernel. 

24. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 20 wherein the gateway station is a Unix station. 

IS 25. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the apparatus further includes programs for providing a security adminis- 
trator with an interface to permit the security administrator to build a rule base for controlling communications 
through the gateway statbn. 

20 26. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 1 9 wherein the at least one proxy process includes domain proxy processes for sen^- 

icing Gopher and TCP communications. 

27. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
25 network as claimed in claim 1 9 wherein the Gopher proxy process is enabled to authenticate users whenever a 

Gopher session is initiated and user authentication is required. 

28. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 22 wherein the generic proxy process capable of servicing any network service which 

30 may be communicated within TCP/IP protocol, on any one of the 64K TCP/IP communications ports is a TCP proxy 

process. 
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